bind and bind_ack tracking

remotes/origin/master-1.0.x
root 17 years ago committed by Victor Julien
parent c7fb7fa26a
commit 5113636744

File diff suppressed because it is too large Load Diff

@ -10,7 +10,7 @@
#include "app-layer-protos.h"
#include "app-layer-parser.h"
#include "flow.h"
#include <queue.h>
#include "queue.h"
void RegisterDCERPCParsers(void);
void DCERPCParserTests(void);
@ -89,20 +89,32 @@ typedef struct dcerpc_hdr_ {
#define DCERPC_HDR_LEN 16
struct entry {
struct uuid_entry {
uint16_t ctxid;
uint16_t result;
uint8_t uuid[16];
TAILQ_ENTRY(entry) entries; /* Tail queue. */
} *n1, *n2, *np;
uint16_t version;
uint16_t versionminor;
TAILQ_ENTRY(uuid_entry) next;
};
typedef struct DCERPCState_ {
dcerpc_t dcerpc;
uint16_t bytesprocessed;
uint8_t numctxitems;
uint8_t numctxitemsleft;
uint8_t ctxbytesprocessed;
TAILQ_HEAD(tailhead, entry) head;
struct entry *item;
uint16_t ctxid;
uint16_t result;
uint8_t uuid[16];
uint16_t version;
uint16_t versionminor;
uint8_t pad;
uint8_t padleft;
struct uuid_entry *uuid_entry;
TAILQ_HEAD(, uuid_entry) uuid_list;
uint16_t secondaryaddrlen;
uint16_t secondaryaddrlenleft;
}DCERPCState;

@ -38,6 +38,7 @@ enum {
SMB_FIELD_MAX,
};
#if 0
void hexdump(const void *buf, size_t len) {
/* dumps len bytes of *buf to stdout. Looks like:
* [0000] 75 6E 6B 6E 6F 77 6E 20
@ -95,6 +96,7 @@ void hexdump(const void *buf, size_t len) {
printf("[%4.4s] %-50.50s %s\n", addrstr, hexstr, charstr);
}
}
#endif
/**
* \brief SMB Write AndX Request Parsing
@ -345,10 +347,10 @@ static int PaddingParser(void *smb_state, AppLayerParserState *pstate,
uint8_t *input, uint32_t input_len, AppLayerParserResult *output) {
SMBState *sstate = (SMBState *) smb_state;
uint8_t *p = input;
while (sstate->bytesprocessed++ < sstate->andx.dataoffset && sstate->bytecount.bytecount-- && input_len--) {
while (sstate->bytesprocessed + (p - input) < sstate->andx.dataoffset && sstate->bytecount.bytecount-- && input_len--) {
p++;
}
if (sstate->bytesprocessed == sstate->andx.dataoffset) {
if (sstate->bytesprocessed + (p - input) == sstate->andx.dataoffset) {
sstate->andx.paddingparsed = 1;
}
sstate->bytesprocessed += (p - input);
@ -390,7 +392,6 @@ static int SMBGetWordCount(Flow *f, void *smb_state, AppLayerParserState *pstate
sstate->bytesprocessed++;
sstate->bytecount.bytecountbytes = 0;
sstate->andx.isandx = isAndX(sstate);
--input_len;
SCLogDebug("Wordcount (%u):", sstate->wordcount.wordcount);
SCReturnInt(1);
}
@ -454,7 +455,6 @@ static int SMBParseWordCount(Flow *f, void *smb_state, AppLayerParserState *psta
p++;
}
sstate->bytesprocessed += (p - input);
return (p - input);
SCReturnInt(p - input);
}
}

@ -170,7 +170,7 @@ int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
uint8_t flags, void *state, Signature *s, SigMatch *m)
{
int ret = 1;
struct entry *item = NULL;
struct uuid_entry *item = NULL;
DetectDceIfaceData *dce_data = (DetectDceIfaceData *)m->ctx;
DCERPCState *dcerpc_state = (DCERPCState *)state;
if (dcerpc_state == NULL) {
@ -181,7 +181,7 @@ int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
SCMutexLock(&f->m);
int i = 0;
TAILQ_FOREACH(item, &dcerpc_state->head, entries) {
TAILQ_FOREACH(item, &dcerpc_state->uuid_list, next) {
for (i = 0; i < 16; i++) {
if (dce_data->uuid[i] != item->uuid[i]) {
ret = 0;

Loading…
Cancel
Save