rust/smb/dcerpc: parse context id

As context id is used to know to which variant of the endpoint the request is done, it is interesting to parse it. Feature #5413.
3 years ago · b6f1cf255c
parent d1ebf320f7
commit b6f1cf255c
2 changed files with 8 additions and 2 deletions
--- a/rust/src/smb/dcerpc.rs
+++ b/rust/src/smb/dcerpc.rs
@ -69,6 +69,7 @@ pub struct DCERPCIface {
    pub ack_result: u16,
    pub ack_reason: u16,
    pub acked: bool,
+    pub context_id: u16,
 }

 impl DCERPCIface {
@ -85,6 +86,7 @@ impl DCERPCIface {
 #[derive(Default, Debug)]
 pub struct SMBTransactionDCERPC {
    pub opnum: u16,
+    pub context_id: u16,
    pub req_cmd: u8,
    pub req_set: bool,
    pub res_cmd: u8,
@ -100,6 +102,7 @@ impl SMBTransactionDCERPC {
    fn new_request(req: u8, call_id: u32) -> Self {
        return Self {
            opnum: 0,
+            context_id: 0,
            req_cmd: req,
            req_set: true,
            call_id: call_id,
@ -236,6 +239,7 @@ pub fn smb_write_dcerpc_record<'b>(state: &mut SMBState,
                                SCLogDebug!("first frag size {}", recr.data.len());
                                tdn.stub_data_ts.extend_from_slice(recr.data);
                                tdn.opnum = recr.opnum;
+                                tdn.context_id = recr.context_id;
                                tdn.frag_cnt_ts += 1;
                                SCLogDebug!("DCERPC: REQUEST opnum {} stub data len {}",
                                        tdn.opnum, tdn.stub_data_ts.len());
--- a/rust/src/smb/dcerpc_records.rs
+++ b/rust/src/smb/dcerpc_records.rs
@ -48,6 +48,7 @@ pub fn parse_dcerpc_response_record(i:&[u8], frag_len: u16 )
 #[derive(Debug,PartialEq)]
 pub struct DceRpcRequestRecord<'a> {
    pub opnum: u16,
+    pub context_id: u16,
    pub data: &'a[u8],
 }

@ -59,11 +60,12 @@ pub fn parse_dcerpc_request_record(i:&[u8], frag_len: u16, little: bool)
    if frag_len < 24 {
        return Err(Err::Error(SmbError::RecordTooSmall));
    }
-    let (i, _) = take(6_usize)(i)?;
+    let (i, _) = take(4_usize)(i)?;
    let endian = if little { Endianness::Little } else { Endianness::Big };
+    let (i, context_id) = u16(endian)(i)?;
    let (i, opnum) = u16(endian)(i)?;
    let (i, data) = take(frag_len - 24)(i)?;
-    let record = DceRpcRequestRecord { opnum, data };
+    let record = DceRpcRequestRecord { opnum, context_id, data };
    Ok((i, record))
 }