aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

dcerpc: only log the tx interfaces

Browse Source 
Not all the state ones

Ticket: 8378
pull/15097/head
Philippe Antoine 1 month ago committed by Victor Julien
parent 05a11e2897
commit 34ed8958a6
1 changed files with 52 additions and 24 deletions
Show Stats Download Patch File Download Diff File

76
rust/src/dcerpc/log.rs
Unescape Escape View File

@ -20,27 +20,6 @@ use crate::dcerpc::dcerpc::*;
use crate::dcerpc::dcerpc_udp::*;
use crate::jsonbuilder::{JsonBuilder, JsonError};
fn log_bind_interfaces(jsb: &mut JsonBuilder, state: &DCERPCState) -> Result<(), JsonError> {
if !state.interface_uuids.is_empty() {
jsb.open_array("interfaces")?;
for uuid in &state.interface_uuids {
jsb.start_object()?;
let ifstr = Uuid::from_slice(uuid.uuid.as_slice());
let ifstr = ifstr.map(|uuid| uuid.to_hyphenated().to_string()).unwrap();
jsb.set_string("uuid", &ifstr)?;
let vstr = format!("{}.{}", uuid.version, uuid.versionminor);
jsb.set_string("version", &vstr)?;
// TODO? log only the interface for the right ctxid jsb.set_uint("ctxid", uuid.ctxid as u64)?;
if uuid.acked {
jsb.set_uint("ack_result", uuid.result as u64)?;
}
jsb.close()?;
}
jsb.close()?;
}
return Ok(());
}
fn log_dcerpc_header_tcp(
jsb: &mut JsonBuilder, state: &DCERPCState, tx: &DCERPCTransaction,
) -> Result<(), JsonError> {
@ -53,9 +32,56 @@ fn log_dcerpc_header_tcp(
jsb.set_uint("frag_cnt", tx.frag_cnt_ts as u64)?;
jsb.set_uint("stub_data_size", tx.stub_data_buffer_ts.len() as u64)?;
jsb.close()?;
log_bind_interfaces(jsb, state)?;
let mut found = false;
let mark = jsb.get_mark();
jsb.open_array("interfaces")?;
for uuid in &state.interface_uuids {
if tx.ctxid == uuid.ctxid {
found = true;
jsb.start_object()?;
let ifstr = Uuid::from_slice(uuid.uuid.as_slice());
let ifstr = ifstr.map(|uuid| uuid.to_hyphenated().to_string()).unwrap();
jsb.set_string("uuid", &ifstr)?;
let vstr = format!("{}.{}", uuid.version, uuid.versionminor);
jsb.set_string("version", &vstr)?;
if uuid.acked {
jsb.set_uint("ack_result", uuid.result as u64)?;
}
jsb.close()?;
}
}
if !found {
jsb.restore_mark(&mark)?;
} else {
jsb.close()?;
}
}
DCERPC_TYPE_BIND => {
let mut found = false;
let mark = jsb.get_mark();
jsb.open_array("interfaces")?;
for uuid in &state.interface_uuids {
if tx.call_id == uuid.call_id {
found = true;
jsb.start_object()?;
let ifstr = Uuid::from_slice(uuid.uuid.as_slice());
let ifstr = ifstr.map(|uuid| uuid.to_hyphenated().to_string()).unwrap();
jsb.set_string("uuid", &ifstr)?;
let vstr = format!("{}.{}", uuid.version, uuid.versionminor);
jsb.set_string("version", &vstr)?;
if uuid.acked {
jsb.set_uint("ack_result", uuid.result as u64)?;
}
jsb.close()?;
}
}
if !found {
jsb.restore_mark(&mark)?;
} else {
jsb.close()?;
}
}
DCERPC_TYPE_BIND => log_bind_interfaces(jsb, state)?,
_ => {}
}
} else {
@ -121,7 +147,9 @@ fn log_dcerpc_header_udp(
jsb.set_string("response", "UNREPLIED")?;
}
let activityuuid = Uuid::from_slice(tx.activityuuid.as_slice());
let activityuuid = activityuuid.map(|uuid| uuid.to_hyphenated().to_string()).unwrap();
let activityuuid = activityuuid
.map(|uuid| uuid.to_hyphenated().to_string())
.unwrap();
jsb.set_string("activityuuid", &activityuuid)?;
jsb.set_uint("seqnum", tx.seqnum as u64)?;
jsb.set_string("rpc_version", "4.0")?;

Write Preview
Loading…
Cancel
Save