From 34ed8958a6eb27f16535c6a58bbee2dce284325a Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Fri, 13 Mar 2026 13:59:15 +0100 Subject: [PATCH] dcerpc: only log the tx interfaces Not all the state ones Ticket: 8378 --- rust/src/dcerpc/log.rs | 76 +++++++++++++++++++++++++++++------------- 1 file changed, 52 insertions(+), 24 deletions(-) diff --git a/rust/src/dcerpc/log.rs b/rust/src/dcerpc/log.rs index 5a00bdf8df..95b8962680 100644 --- a/rust/src/dcerpc/log.rs +++ b/rust/src/dcerpc/log.rs @@ -20,27 +20,6 @@ use crate::dcerpc::dcerpc::*; use crate::dcerpc::dcerpc_udp::*; use crate::jsonbuilder::{JsonBuilder, JsonError}; -fn log_bind_interfaces(jsb: &mut JsonBuilder, state: &DCERPCState) -> Result<(), JsonError> { - if !state.interface_uuids.is_empty() { - jsb.open_array("interfaces")?; - for uuid in &state.interface_uuids { - jsb.start_object()?; - let ifstr = Uuid::from_slice(uuid.uuid.as_slice()); - let ifstr = ifstr.map(|uuid| uuid.to_hyphenated().to_string()).unwrap(); - jsb.set_string("uuid", &ifstr)?; - let vstr = format!("{}.{}", uuid.version, uuid.versionminor); - jsb.set_string("version", &vstr)?; - // TODO? log only the interface for the right ctxid jsb.set_uint("ctxid", uuid.ctxid as u64)?; - if uuid.acked { - jsb.set_uint("ack_result", uuid.result as u64)?; - } - jsb.close()?; - } - jsb.close()?; - } - return Ok(()); -} - fn log_dcerpc_header_tcp( jsb: &mut JsonBuilder, state: &DCERPCState, tx: &DCERPCTransaction, ) -> Result<(), JsonError> { @@ -53,9 +32,56 @@ fn log_dcerpc_header_tcp( jsb.set_uint("frag_cnt", tx.frag_cnt_ts as u64)?; jsb.set_uint("stub_data_size", tx.stub_data_buffer_ts.len() as u64)?; jsb.close()?; - log_bind_interfaces(jsb, state)?; + + let mut found = false; + let mark = jsb.get_mark(); + jsb.open_array("interfaces")?; + for uuid in &state.interface_uuids { + if tx.ctxid == uuid.ctxid { + found = true; + jsb.start_object()?; + let ifstr = Uuid::from_slice(uuid.uuid.as_slice()); + let ifstr = ifstr.map(|uuid| uuid.to_hyphenated().to_string()).unwrap(); + jsb.set_string("uuid", &ifstr)?; + let vstr = format!("{}.{}", uuid.version, uuid.versionminor); + jsb.set_string("version", &vstr)?; + if uuid.acked { + jsb.set_uint("ack_result", uuid.result as u64)?; + } + jsb.close()?; + } + } + if !found { + jsb.restore_mark(&mark)?; + } else { + jsb.close()?; + } + } + DCERPC_TYPE_BIND => { + let mut found = false; + let mark = jsb.get_mark(); + jsb.open_array("interfaces")?; + for uuid in &state.interface_uuids { + if tx.call_id == uuid.call_id { + found = true; + jsb.start_object()?; + let ifstr = Uuid::from_slice(uuid.uuid.as_slice()); + let ifstr = ifstr.map(|uuid| uuid.to_hyphenated().to_string()).unwrap(); + jsb.set_string("uuid", &ifstr)?; + let vstr = format!("{}.{}", uuid.version, uuid.versionminor); + jsb.set_string("version", &vstr)?; + if uuid.acked { + jsb.set_uint("ack_result", uuid.result as u64)?; + } + jsb.close()?; + } + } + if !found { + jsb.restore_mark(&mark)?; + } else { + jsb.close()?; + } } - DCERPC_TYPE_BIND => log_bind_interfaces(jsb, state)?, _ => {} } } else { @@ -121,7 +147,9 @@ fn log_dcerpc_header_udp( jsb.set_string("response", "UNREPLIED")?; } let activityuuid = Uuid::from_slice(tx.activityuuid.as_slice()); - let activityuuid = activityuuid.map(|uuid| uuid.to_hyphenated().to_string()).unwrap(); + let activityuuid = activityuuid + .map(|uuid| uuid.to_hyphenated().to_string()) + .unwrap(); jsb.set_string("activityuuid", &activityuuid)?; jsb.set_uint("seqnum", tx.seqnum as u64)?; jsb.set_string("rpc_version", "4.0")?;