--- /dev/null
+/* Copyright (C) 2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+use uuid::Uuid;
+
+use crate::dcerpc::dcerpc::*;
+use crate::jsonbuilder::{JsonBuilder, JsonError};
+
+fn log_dcerpc_header(
+ jsb: &mut JsonBuilder, state: &DCERPCState, tx: &DCERPCTransaction,
+) -> Result<(), JsonError> {
+ if tx.req_done == true {
+ jsb.set_string("request", &dcerpc_type_string(tx.req_cmd))?;
+ match tx.req_cmd {
+ DCERPC_TYPE_REQUEST => {
+ jsb.open_object("req")?;
+ jsb.set_uint("opnum", tx.opnum as u64)?;
+ jsb.set_uint("frag_cnt", tx.frag_cnt_ts as u64)?;
+ jsb.set_uint("stub_data_size", tx.stub_data_buffer_len_ts as u64)?;
+ jsb.close()?;
+ }
+ DCERPC_TYPE_BIND => match &state.bind {
+ Some(bind) => {
+ jsb.open_array("interfaces")?;
+ for uuid in &bind.uuid_list {
+ jsb.start_object()?;
+ let ifstr = Uuid::from_slice(uuid.uuid.as_slice());
+ let ifstr = ifstr.map(|uuid| uuid.to_hyphenated().to_string()).unwrap();
+ jsb.set_string("uuid", &ifstr)?;
+ let vstr = format!("{}.{}", uuid.version, uuid.versionminor);
+ jsb.set_string("version", &vstr)?;
+ jsb.set_uint("ack_result", uuid.result as u64)?;
+ jsb.close()?;
+ }
+ jsb.close()?;
+ }
+ None => {}
+ },
+ _ => {}
+ }
+ } else {
+ jsb.set_string("request", "REQUEST_LOST")?;
+ }
+
+ if tx.resp_done == true {
+ jsb.set_string("response", &dcerpc_type_string(tx.resp_cmd))?;
+ match tx.resp_cmd {
+ DCERPC_TYPE_RESPONSE => {
+ jsb.open_object("res")?;
+ jsb.set_uint("frag_cnt", tx.frag_cnt_tc as u64)?;
+ jsb.set_uint("stub_data_size", tx.stub_data_buffer_len_tc as u64)?;
+ jsb.close()?;
+ }
+ _ => {} // replicating behavior from smb
+ }
+ } else {
+ jsb.set_string("response", "UNREPLIED")?;
+ }
+
+ jsb.set_uint("call_id", tx.call_id as u64)?;
+ if let Some(ref hdr) = state.header {
+ let vstr = format!("{}.{}", hdr.rpc_vers, hdr.rpc_vers_minor);
+ jsb.set_string("rpc_version", &vstr)?;
+ }
+
+ return Ok(());
+}
+
+#[no_mangle]
+pub extern "C" fn rs_dcerpc_log_json_record(
+ state: &DCERPCState, tx: &DCERPCTransaction, mut jsb: &mut JsonBuilder,
+) -> bool {
+ log_dcerpc_header(&mut jsb, state, tx).is_ok()
+}
pub mod dcerpc_udp;
pub mod parser;
pub mod detect;
+pub mod log;
output-json-template.c output-json-template.h \
output-json-template-rust.c output-json-template-rust.h \
output-json-rdp.c output-json-rdp.h \
+output-json-dcerpc.c output-json-dcerpc.h \
output-json-metadata.c output-json-metadata.h \
output-lua.c output-lua.h \
output-packet.c output-packet.h \
--- /dev/null
+/* Copyright (C) 2017-2018 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#include "suricata-common.h"
+#include "debug.h"
+#include "pkt-var.h"
+#include "conf.h"
+
+#include "threads.h"
+#include "threadvars.h"
+#include "tm-threads.h"
+
+#include "util-unittest.h"
+#include "util-buffer.h"
+#include "util-debug.h"
+#include "util-byte.h"
+
+#include "output.h"
+#include "output-json.h"
+
+#include "app-layer.h"
+#include "app-layer-parser.h"
+#include "app-layer-dcerpc-udp.h"
+#include "app-layer-dcerpc-common.h"
+#include "output-json-dcerpc.h"
+
+#include "rust.h"
+
+
+static int JsonDCERPCLogger(ThreadVars *tv, void *thread_data,
+ const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id)
+{
+ OutputJsonThreadCtx *thread = thread_data;
+
+ JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dcerpc", NULL);
+ if (unlikely(jb == NULL)) {
+ return TM_ECODE_FAILED;
+ }
+
+ jb_open_object(jb, "dcerpc");
+ if (!rs_dcerpc_log_json_record(state, tx, jb)) {
+ goto error;
+ }
+ jb_close(jb);
+
+ MemBufferReset(thread->buffer);
+ OutputJsonBuilderBuffer(jb, thread->ctx->file_ctx, &thread->buffer);
+
+ jb_free(jb);
+ return TM_ECODE_OK;
+
+error:
+ jb_free(jb);
+ return TM_ECODE_FAILED;
+}
+
+static OutputInitResult DCERPCLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
+{
+ AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_DCERPC);
+ AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_DCERPC);
+ return OutputJsonLogInitSub(conf, parent_ctx);
+}
+
+void JsonDCERPCLogRegister(void)
+{
+ /* Register as an eve sub-module. */
+ OutputRegisterTxSubModule(LOGGER_JSON_DCERPC, "eve-log", "JsonDCERPCLog",
+ "eve-log.dcerpc", DCERPCLogInitSub, ALPROTO_DCERPC,
+ JsonDCERPCLogger, JsonLogThreadInit,
+ JsonLogThreadDeinit, NULL);
+
+ SCLogDebug("DCERPC JSON logger registered.");
+}
--- /dev/null
+/* Copyright (C) 2017 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#ifndef __OUTPUT_JSON_DCERPC_H__
+#define __OUTPUT_JSON_DCERPC_H__
+
+void JsonDCERPCLogRegister(void);
+
+#endif /* __OUTPUT_JSON_DCERPC_H__ */
#include "output-lua.h"
#include "output-json-dnp3.h"
#include "output-json-metadata.h"
+#include "output-json-dcerpc.h"
#include "output-filestore.h"
typedef struct RootLogger_ {
JsonTemplateRustLogRegister();
/* RDP JSON logger. */
JsonRdpLogRegister();
+ /* DCERPC JSON logger. */
+ JsonDCERPCLogRegister();
}
LOGGER_JSON_RFB,
LOGGER_JSON_TEMPLATE,
LOGGER_JSON_RDP,
+ LOGGER_JSON_DCERPC,
LOGGER_ALERT_DEBUG,
LOGGER_ALERT_FAST,
CASE_CODE (LOGGER_JSON_RFB);
CASE_CODE (LOGGER_JSON_TEMPLATE);
CASE_CODE (LOGGER_JSON_RDP);
+ CASE_CODE (LOGGER_JSON_DCERPC);
CASE_CODE (LOGGER_TLS_STORE);
CASE_CODE (LOGGER_TLS);
CASE_CODE (LOGGER_FILE_STORE);
- smb
- tftp
- ikev2
+ - dcerpc
- krb5
- snmp
- rfb
projects / thirdparty / suricata.git / commitdiff
