aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

dcerpc: add iface to dcerpc request event

Browse Source 
so as to avoid extra steps for correlation among events to find
this information.

Feature 7565
pull/12653/head
Shivani Bhardwaj 1 week ago committed by Victor Julien
parent 4cdb879538
commit a551674eae
1 changed files with 20 additions and 14 deletions
Show Stats Download Patch File Download Diff File

34
rust/src/dcerpc/log.rs
Unescape Escape View File

@ -20,6 +20,24 @@ use crate::dcerpc::dcerpc::*;
use crate::dcerpc::dcerpc_udp::*;
use crate::jsonbuilder::{JsonBuilder, JsonError};
fn log_bind_interfaces(jsb: &mut JsonBuilder, state: &DCERPCState) -> Result<(), JsonError> {
if let Some(bind) = &state.bind {
jsb.open_array("interfaces")?;
for uuid in &bind.uuid_list {
jsb.start_object()?;
let ifstr = Uuid::from_slice(uuid.uuid.as_slice());
let ifstr = ifstr.map(|uuid| uuid.to_hyphenated().to_string()).unwrap();
jsb.set_string("uuid", &ifstr)?;
let vstr = format!("{}.{}", uuid.version, uuid.versionminor);
jsb.set_string("version", &vstr)?;
jsb.set_uint("ack_result", uuid.result as u64)?;
jsb.close()?;
}
jsb.close()?;
}
return Ok(());
}
fn log_dcerpc_header_tcp(
jsb: &mut JsonBuilder, state: &DCERPCState, tx: &DCERPCTransaction,
) -> Result<(), JsonError> {
@ -32,21 +50,9 @@ fn log_dcerpc_header_tcp(
jsb.set_uint("frag_cnt", tx.frag_cnt_ts as u64)?;
jsb.set_uint("stub_data_size", tx.stub_data_buffer_ts.len() as u64)?;
jsb.close()?;
log_bind_interfaces(jsb, state)?;
}
DCERPC_TYPE_BIND => if let Some(bind) = &state.bind {
jsb.open_array("interfaces")?;
for uuid in &bind.uuid_list {
jsb.start_object()?;
let ifstr = Uuid::from_slice(uuid.uuid.as_slice());
let ifstr = ifstr.map(|uuid| uuid.to_hyphenated().to_string()).unwrap();
jsb.set_string("uuid", &ifstr)?;
let vstr = format!("{}.{}", uuid.version, uuid.versionminor);
jsb.set_string("version", &vstr)?;
jsb.set_uint("ack_result", uuid.result as u64)?;
jsb.close()?;
}
jsb.close()?;
},
DCERPC_TYPE_BIND => log_bind_interfaces(jsb, state)?,
_ => {}
}
} else {

Write Preview
Loading…
Cancel
Save