rust/smb: log uuid of interface in dcerpc

When doing a DCERPC request, we can use the context id to log the
interface that is used. Doing that we can see in one single event
what is the DCERPC interface and opnum that are used. This allows
to have all the information needed to resolve the request to a
function call.

Feature #5413.

diff --git a/etc/schema.json b/etc/schema.json
index 4fad4fc0dcfb841ab51d5410c90d43fbcc65354c..3bd70f8cea1ed616d50bd1752ffeb7909f3bb028 100644 (file)
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -3296,6 +3296,19 @@
                         "response": {
                             "type": "string"
                         },
+                        "interface": {
+                            "type": "object",
+                            "optional": true,
+                            "properties": {
+                                "uuid": {
+                                    "type": "string"
+                                },
+                                "version": {
+                                    "type": "string"
+                                }
+                            },
+                            "additionalProperties": false
+                        },
                         "interfaces": {
                             "type": "array",
                             "items": {

diff --git a/rust/src/smb/log.rs b/rust/src/smb/log.rs
index d5d8aedecc117265f92e8cb8d47c7b9478aeccfe..500a07c6601c60f5ba3ac888417283e5670f0c04 100644 (file)
--- a/rust/src/smb/log.rs
+++ b/rust/src/smb/log.rs
@@ -336,6 +336,22 @@ fn smb_common_header(jsb: &mut JsonBuilder, state: &SMBState, tx: &SMBTransactio
                         jsb.set_uint("frag_cnt", x.frag_cnt_ts as u64)?;
                         jsb.set_uint("stub_data_size", x.stub_data_ts.len() as u64)?;
                         jsb.close()?;
+                        match state.dcerpc_ifaces {
+                            Some(ref ifaces) => {
+                                for i in ifaces {
+                                    if i.context_id == x.context_id {
+                                        jsb.open_object("interface")?;
+                                        let ifstr = uuid::Uuid::from_slice(&i.uuid);
+                                        let ifstr = ifstr.map(|ifstr| ifstr.to_hyphenated().to_string()).unwrap();
+                                        jsb.set_string("uuid", &ifstr)?;
+                                        let vstr = format!("{}.{}", i.ver, i.ver_min);
+                                        jsb.set_string("version", &vstr)?;
+                                        jsb.close()?;
+                                    }
+                                }
+                            },
+                            _ => {},
+                        }
                     },
                     DCERPC_TYPE_BIND => {
                         match state.dcerpc_ifaces {