From: Eric Leblond Date: Tue, 28 Jun 2022 13:52:04 +0000 (+0200) Subject: rust/smb: log uuid of interface in dcerpc X-Git-Tag: suricata-7.0.0-beta1~268 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F7767%2Fhead;p=thirdparty%2Fsuricata.git rust/smb: log uuid of interface in dcerpc When doing a DCERPC request, we can use the context id to log the interface that is used. Doing that we can see in one single event what is the DCERPC interface and opnum that are used. This allows to have all the information needed to resolve the request to a function call. Feature #5413. --- diff --git a/etc/schema.json b/etc/schema.json index 4fad4fc0dc..3bd70f8cea 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -3296,6 +3296,19 @@ "response": { "type": "string" }, + "interface": { + "type": "object", + "optional": true, + "properties": { + "uuid": { + "type": "string" + }, + "version": { + "type": "string" + } + }, + "additionalProperties": false + }, "interfaces": { "type": "array", "items": { diff --git a/rust/src/smb/log.rs b/rust/src/smb/log.rs index d5d8aedecc..500a07c660 100644 --- a/rust/src/smb/log.rs +++ b/rust/src/smb/log.rs @@ -336,6 +336,22 @@ fn smb_common_header(jsb: &mut JsonBuilder, state: &SMBState, tx: &SMBTransactio jsb.set_uint("frag_cnt", x.frag_cnt_ts as u64)?; jsb.set_uint("stub_data_size", x.stub_data_ts.len() as u64)?; jsb.close()?; + match state.dcerpc_ifaces { + Some(ref ifaces) => { + for i in ifaces { + if i.context_id == x.context_id { + jsb.open_object("interface")?; + let ifstr = uuid::Uuid::from_slice(&i.uuid); + let ifstr = ifstr.map(|ifstr| ifstr.to_hyphenated().to_string()).unwrap(); + jsb.set_string("uuid", &ifstr)?; + let vstr = format!("{}.{}", i.ver, i.ver_min); + jsb.set_string("version", &vstr)?; + jsb.close()?; + } + } + }, + _ => {}, + } }, DCERPC_TYPE_BIND => { match state.dcerpc_ifaces {