From 07c96bf21891d7f006cfd2994ea78befffe10f9f Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Fri, 6 Mar 2026 15:51:05 +0100
Subject: [PATCH] dcerpc: use bind context_id in SMB

Ticket: 8375

logger already read this variable but it was never set, and
the rust compiler did not warn about this

Allows to log the interface uuid when ctx_id > 0

Wireshark filter for related pcaps
dcerpc.cn_ctx_id > 0 && dcerpc.pkt_type == 0

(cherry picked from commit 6587e363a3444835a7787f1c16b42f881b7fa592)
---
 rust/src/smb/dcerpc.rs         | 5 +++--
 rust/src/smb/dcerpc_records.rs | 7 +++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/rust/src/smb/dcerpc.rs b/rust/src/smb/dcerpc.rs
index c7560b7a66..9d3907ff10 100644
--- a/rust/src/smb/dcerpc.rs
+++ b/rust/src/smb/dcerpc.rs
@@ -74,11 +74,12 @@ pub struct DCERPCIface {
 }
 
 impl DCERPCIface {
-    pub fn new(uuid: Vec<u8>, ver: u16, ver_min: u16) -> Self {
+    pub fn new(uuid: Vec<u8>, ver: u16, ver_min: u16, context_id: u16) -> Self {
         Self {
             uuid,
             ver,
             ver_min,
+            context_id,
             ..Default::default()
         }
     }
@@ -293,7 +294,7 @@ pub fn smb_write_dcerpc_record(state: &mut SMBState,
                                     };
                                     let uuid_str = uuid::Uuid::from_slice(&x.clone());
                                     let _uuid_str = uuid_str.map(|uuid_str| uuid_str.to_hyphenated().to_string()).unwrap();
-                                    let d = DCERPCIface::new(x,i.ver,i.ver_min);
+                                    let d = DCERPCIface::new(x,i.ver,i.ver_min,i.ctx_id);
                                     SCLogDebug!("UUID {} version {}/{} bytes {:?}",
                                             _uuid_str,
                                             i.ver, i.ver_min,i.iface);
diff --git a/rust/src/smb/dcerpc_records.rs b/rust/src/smb/dcerpc_records.rs
index a51c5e4de0..5c64f3b78e 100644
--- a/rust/src/smb/dcerpc_records.rs
+++ b/rust/src/smb/dcerpc_records.rs
@@ -71,13 +71,14 @@ pub fn parse_dcerpc_request_record(i:&[u8], frag_len: u16, little: bool)
 
 #[derive(Debug,PartialEq, Eq)]
 pub struct DceRpcBindIface<'a> {
+    pub ctx_id: u16,
     pub iface: &'a[u8],
     pub ver: u16,
     pub ver_min: u16,
 }
 
 pub fn parse_dcerpc_bind_iface(i: &[u8]) -> IResult<&[u8], DceRpcBindIface<'_>> {
-    let (i, _ctx_id) = le_u16(i)?;
+    let (i, ctx_id) = le_u16(i)?;
     let (i, _num_trans_items) = le_u8(i)?;
     let (i, _) = take(1_usize)(i)?; // reserved
     let (i, interface) = take(16_usize)(i)?;
@@ -85,6 +86,7 @@ pub fn parse_dcerpc_bind_iface(i: &[u8]) -> IResult<&[u8], DceRpcBindIface<'_>>
     let (i, ver_min) = le_u16(i)?;
     let (i, _) = take(20_usize)(i)?;
     let res = DceRpcBindIface {
+        ctx_id,
         iface:interface,
         ver,
         ver_min,
@@ -93,7 +95,7 @@ pub fn parse_dcerpc_bind_iface(i: &[u8]) -> IResult<&[u8], DceRpcBindIface<'_>>
 }
 
 pub fn parse_dcerpc_bind_iface_big(i: &[u8]) -> IResult<&[u8], DceRpcBindIface<'_>> {
-    let (i, _ctx_id) = le_u16(i)?;
+    let (i, ctx_id) = le_u16(i)?;
     let (i, _num_trans_items) = le_u8(i)?;
     let (i, _) = take(1_usize)(i)?; // reserved
     let (i, interface) = take(16_usize)(i)?;
@@ -101,6 +103,7 @@ pub fn parse_dcerpc_bind_iface_big(i: &[u8]) -> IResult<&[u8], DceRpcBindIface<'
     let (i, ver) = be_u16(i)?;
     let (i, _) = take(20_usize)(i)?;
     let res = DceRpcBindIface {
+        ctx_id,
         iface:interface,
         ver,
         ver_min,