dcerpc: save version info in tx

to make it available for logging.
11 months ago · fc88e61c7f
parent 0d6017d174
commit fc88e61c7f
3 changed files with 9 additions and 10 deletions
--- a/rust/src/dcerpc/dcerpc.rs
+++ b/rust/src/dcerpc/dcerpc.rs
@ -172,6 +172,7 @@ pub struct DCERPCTransaction {
    pub ctxid: u16,
    pub opnum: u16,
    pub first_request_seen: u8,
+    pub min_version: u8,
    pub call_id: u32, // ID to match any request-response pair
    pub frag_cnt_ts: u16,
    pub frag_cnt_tc: u16,
@ -368,6 +369,9 @@ impl DCERPCState {
            }
            self.tx_index_completed = index;
        }
+        if let Some(hdr) = &self.header {
+            tx.min_version = hdr.rpc_vers_minor;
+        }
        tx
    }

--- a/rust/src/dcerpc/detect.rs
+++ b/rust/src/dcerpc/detect.rs
@ -211,12 +211,9 @@ pub extern "C" fn rs_dcerpc_iface_match(
        return 0;
    }

-    match state.get_hdr_type() {
-        Some(DCERPC_TYPE_REQUEST | DCERPC_TYPE_RESPONSE) => {}
-        _ => {
+    if !(tx.req_cmd == DCERPC_TYPE_REQUEST || tx.resp_cmd == DCERPC_TYPE_RESPONSE) {
            return 0;
-        }
-    };
+    }

    return match_backuuid(tx, state, if_data);
 }
--- a/rust/src/dcerpc/log.rs
+++ b/rust/src/dcerpc/log.rs
@ -69,11 +69,9 @@ fn log_dcerpc_header_tcp(
        jsb.set_string("response", "UNREPLIED")?;
    }

-    if let Some(ref hdr) = state.header {
-        jsb.set_uint("call_id", tx.call_id as u64)?;
-        let vstr = format!("{}.{}", hdr.rpc_vers, hdr.rpc_vers_minor);
-        jsb.set_string("rpc_version", &vstr)?;
-    }
+    jsb.set_uint("call_id", tx.call_id as u64)?;
+    let vstr = format!("5.{}", tx.min_version);
+    jsb.set_string("rpc_version", &vstr)?;

    return Ok(());
 }