From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Thu, 12 Nov 2020 11:06:39 +0000 (+0530)
Subject: dcerpc/log: Log fields particular to an RPC version
X-Git-Tag: suricata-6.0.1~51
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=269324e84d79c4860533967e7fe226e3a9106613;p=thirdparty%2Fsuricata.git

dcerpc/log: Log fields particular to an RPC version

Log fields that only are meant to be in a PDU for a particular RPC
version. Since DCERPC/UDP works on RPC version 4 and DCERPC/TCP works on
RPC version 5, there are certain fields that are particular to each
version.
Remove call_id from the logger for UDP.
Add activityuuid and seqnum fields to the logger for UDP.
call_id and (activityuuid + seqnum) fields are used to uniquely pair a
request with response for RPC versions 5 and 4 respectively.
---

diff --git a/rust/src/dcerpc/log.rs b/rust/src/dcerpc/log.rs
index 1bf379172e..9f69fe5a4b 100644
--- a/rust/src/dcerpc/log.rs
+++ b/rust/src/dcerpc/log.rs
@@ -70,8 +70,15 @@ fn log_dcerpc_header(
         jsb.set_string("response", "UNREPLIED")?;
     }
 
-    jsb.set_uint("call_id", tx.call_id as u64)?;
     if let Some(ref hdr) = state.header {
+        if hdr.rpc_vers != 4 {
+            jsb.set_uint("call_id", tx.call_id as u64)?;
+        } else {
+            let activityuuid = Uuid::from_slice(tx.activityuuid.as_slice());
+            let activityuuid = activityuuid.map(|uuid| uuid.to_hyphenated().to_string()).unwrap();
+            jsb.set_string("activityuuid", &activityuuid)?;
+            jsb.set_uint("seqnum", tx.seqnum as u64)?;
+        }
         let vstr = format!("{}.{}", hdr.rpc_vers, hdr.rpc_vers_minor);
         jsb.set_string("rpc_version", &vstr)?;
     }