aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rust/smb/dcerpc: parse context id

Browse Source 
As context id is used to know to which variant of the endpoint the
request is done, it is interesting to parse it.

Feature #5413.
pull/7767/head
Eric Leblond 3 years ago committed by Victor Julien
parent d1ebf320f7
commit b6f1cf255c
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File

4
rust/src/smb/dcerpc.rs
Unescape Escape View File

@ -69,6 +69,7 @@ pub struct DCERPCIface {
pub ack_result: u16, pub ack_result: u16,
pub ack_reason: u16, pub ack_reason: u16,
pub acked: bool, pub acked: bool,
pub context_id: u16,
} }
impl DCERPCIface { impl DCERPCIface {
@ -85,6 +86,7 @@ impl DCERPCIface {
#[derive(Default, Debug)] #[derive(Default, Debug)]
pub struct SMBTransactionDCERPC { pub struct SMBTransactionDCERPC {
pub opnum: u16, pub opnum: u16,
pub context_id: u16,
pub req_cmd: u8, pub req_cmd: u8,
pub req_set: bool, pub req_set: bool,
pub res_cmd: u8, pub res_cmd: u8,
@ -100,6 +102,7 @@ impl SMBTransactionDCERPC {
fn new_request(req: u8, call_id: u32) -> Self { fn new_request(req: u8, call_id: u32) -> Self {
return Self { return Self {
opnum: 0, opnum: 0,
context_id: 0,
req_cmd: req, req_cmd: req,
req_set: true, req_set: true,
call_id: call_id, call_id: call_id,
@ -236,6 +239,7 @@ pub fn smb_write_dcerpc_record<'b>(state: &mut SMBState,
SCLogDebug!("first frag size {}", recr.data.len()); SCLogDebug!("first frag size {}", recr.data.len());
tdn.stub_data_ts.extend_from_slice(recr.data); tdn.stub_data_ts.extend_from_slice(recr.data);
tdn.opnum = recr.opnum; tdn.opnum = recr.opnum;
tdn.context_id = recr.context_id;
tdn.frag_cnt_ts += 1; tdn.frag_cnt_ts += 1;
SCLogDebug!("DCERPC: REQUEST opnum {} stub data len {}", SCLogDebug!("DCERPC: REQUEST opnum {} stub data len {}",
tdn.opnum, tdn.stub_data_ts.len()); tdn.opnum, tdn.stub_data_ts.len());

6
rust/src/smb/dcerpc_records.rs
Unescape Escape View File

@ -48,6 +48,7 @@ pub fn parse_dcerpc_response_record(i:&[u8], frag_len: u16 )
#[derive(Debug,PartialEq)] #[derive(Debug,PartialEq)]
pub struct DceRpcRequestRecord<'a> { pub struct DceRpcRequestRecord<'a> {
pub opnum: u16, pub opnum: u16,
pub context_id: u16,
pub data: &'a[u8], pub data: &'a[u8],
} }
@ -59,11 +60,12 @@ pub fn parse_dcerpc_request_record(i:&[u8], frag_len: u16, little: bool)
if frag_len < 24 { if frag_len < 24 {
return Err(Err::Error(SmbError::RecordTooSmall)); return Err(Err::Error(SmbError::RecordTooSmall));
} }
let (i, _) = take(6_usize)(i)?; let (i, _) = take(4_usize)(i)?;
let endian = if little { Endianness::Little } else { Endianness::Big }; let endian = if little { Endianness::Little } else { Endianness::Big };
let (i, context_id) = u16(endian)(i)?;
let (i, opnum) = u16(endian)(i)?; let (i, opnum) = u16(endian)(i)?;
let (i, data) = take(frag_len - 24)(i)?; let (i, data) = take(frag_len - 24)(i)?;
let record = DceRpcRequestRecord { opnum, data }; let record = DceRpcRequestRecord { opnum, context_id, data };
Ok((i, record)) Ok((i, record))
} }

Write Preview
Loading…
Cancel
Save