diff --git a/rust/src/smb/dcerpc.rs b/rust/src/smb/dcerpc.rs index c83d4ad7ce..7361f03b9e 100644 --- a/rust/src/smb/dcerpc.rs +++ b/rust/src/smb/dcerpc.rs @@ -69,6 +69,7 @@ pub struct DCERPCIface { pub ack_result: u16, pub ack_reason: u16, pub acked: bool, + pub context_id: u16, } impl DCERPCIface { @@ -85,6 +86,7 @@ impl DCERPCIface { #[derive(Default, Debug)] pub struct SMBTransactionDCERPC { pub opnum: u16, + pub context_id: u16, pub req_cmd: u8, pub req_set: bool, pub res_cmd: u8, @@ -100,6 +102,7 @@ impl SMBTransactionDCERPC { fn new_request(req: u8, call_id: u32) -> Self { return Self { opnum: 0, + context_id: 0, req_cmd: req, req_set: true, call_id: call_id, @@ -236,6 +239,7 @@ pub fn smb_write_dcerpc_record<'b>(state: &mut SMBState, SCLogDebug!("first frag size {}", recr.data.len()); tdn.stub_data_ts.extend_from_slice(recr.data); tdn.opnum = recr.opnum; + tdn.context_id = recr.context_id; tdn.frag_cnt_ts += 1; SCLogDebug!("DCERPC: REQUEST opnum {} stub data len {}", tdn.opnum, tdn.stub_data_ts.len()); diff --git a/rust/src/smb/dcerpc_records.rs b/rust/src/smb/dcerpc_records.rs index 98b072986a..a454b444f3 100644 --- a/rust/src/smb/dcerpc_records.rs +++ b/rust/src/smb/dcerpc_records.rs @@ -48,6 +48,7 @@ pub fn parse_dcerpc_response_record(i:&[u8], frag_len: u16 ) #[derive(Debug,PartialEq)] pub struct DceRpcRequestRecord<'a> { pub opnum: u16, + pub context_id: u16, pub data: &'a[u8], } @@ -59,11 +60,12 @@ pub fn parse_dcerpc_request_record(i:&[u8], frag_len: u16, little: bool) if frag_len < 24 { return Err(Err::Error(SmbError::RecordTooSmall)); } - let (i, _) = take(6_usize)(i)?; + let (i, _) = take(4_usize)(i)?; let endian = if little { Endianness::Little } else { Endianness::Big }; + let (i, context_id) = u16(endian)(i)?; let (i, opnum) = u16(endian)(i)?; let (i, data) = take(frag_len - 24)(i)?; - let record = DceRpcRequestRecord { opnum, data }; + let record = DceRpcRequestRecord { opnum, context_id, data }; Ok((i, record)) }