dcerpc: use bind context_id in SMB

Ticket: 8375 logger already read this variable but it was never set, and the rust compiler did not warn about this Allows to log the interface uuid when ctx_id > 0 Wireshark filter for related pcaps dcerpc.cn_ctx_id > 0 && dcerpc.pkt_type == 0 (cherry picked from commit 6587e363a3)
2 months ago · 07c96bf218
parent 884125429f
commit 07c96bf218
2 changed files with 8 additions and 4 deletions
--- a/rust/src/smb/dcerpc.rs
+++ b/rust/src/smb/dcerpc.rs
@ -74,11 +74,12 @@ pub struct DCERPCIface {
 }

 impl DCERPCIface {
-    pub fn new(uuid: Vec<u8>, ver: u16, ver_min: u16) -> Self {
+    pub fn new(uuid: Vec<u8>, ver: u16, ver_min: u16, context_id: u16) -> Self {
        Self {
            uuid,
            ver,
            ver_min,
+            context_id,
            ..Default::default()
        }
    }
@ -293,7 +294,7 @@ pub fn smb_write_dcerpc_record(state: &mut SMBState,
                                    };
                                    let uuid_str = uuid::Uuid::from_slice(&x.clone());
                                    let _uuid_str = uuid_str.map(|uuid_str| uuid_str.to_hyphenated().to_string()).unwrap();
-                                    let d = DCERPCIface::new(x,i.ver,i.ver_min);
+                                    let d = DCERPCIface::new(x,i.ver,i.ver_min,i.ctx_id);
                                    SCLogDebug!("UUID {} version {}/{} bytes {:?}",
                                            _uuid_str,
                                            i.ver, i.ver_min,i.iface);
--- a/rust/src/smb/dcerpc_records.rs
+++ b/rust/src/smb/dcerpc_records.rs
@ -71,13 +71,14 @@ pub fn parse_dcerpc_request_record(i:&[u8], frag_len: u16, little: bool)

 #[derive(Debug,PartialEq, Eq)]
 pub struct DceRpcBindIface<'a> {
+    pub ctx_id: u16,
    pub iface: &'a[u8],
    pub ver: u16,
    pub ver_min: u16,
 }

 pub fn parse_dcerpc_bind_iface(i: &[u8]) -> IResult<&[u8], DceRpcBindIface<'_>> {
-    let (i, _ctx_id) = le_u16(i)?;
+    let (i, ctx_id) = le_u16(i)?;
    let (i, _num_trans_items) = le_u8(i)?;
    let (i, _) = take(1_usize)(i)?; // reserved
    let (i, interface) = take(16_usize)(i)?;
@ -85,6 +86,7 @@ pub fn parse_dcerpc_bind_iface(i: &[u8]) -> IResult<&[u8], DceRpcBindIface<'_>>
    let (i, ver_min) = le_u16(i)?;
    let (i, _) = take(20_usize)(i)?;
    let res = DceRpcBindIface {
+        ctx_id,
        iface:interface,
        ver,
        ver_min,
@ -93,7 +95,7 @@ pub fn parse_dcerpc_bind_iface(i: &[u8]) -> IResult<&[u8], DceRpcBindIface<'_>>
 }

 pub fn parse_dcerpc_bind_iface_big(i: &[u8]) -> IResult<&[u8], DceRpcBindIface<'_>> {
-    let (i, _ctx_id) = le_u16(i)?;
+    let (i, ctx_id) = le_u16(i)?;
    let (i, _num_trans_items) = le_u8(i)?;
    let (i, _) = take(1_usize)(i)?; // reserved
    let (i, interface) = take(16_usize)(i)?;
@ -101,6 +103,7 @@ pub fn parse_dcerpc_bind_iface_big(i: &[u8]) -> IResult<&[u8], DceRpcBindIface<'
    let (i, ver) = be_u16(i)?;
    let (i, _) = take(20_usize)(i)?;
    let res = DceRpcBindIface {
+        ctx_id,
        iface:interface,
        ver,
        ver_min,