From 4cb0d886c64ee958118b05e1bfb790529e67cb8f Mon Sep 17 00:00:00 2001 From: Kirby Kuehl Date: Sat, 19 Jun 2010 17:51:26 -0500 Subject: [PATCH 2/2] dcerpc udp support --- src/Makefile.am | 1 + src/app-layer-dcerpc-common.h | 35 +++++++++++++++++++++++++++++++++++ src/app-layer-detect-proto.c | 6 +++--- src/app-layer-protos.h | 1 + src/suricata.c | 3 +++ 5 files changed, 43 insertions(+), 3 deletions(-) diff --git a/src/Makefile.am b/src/Makefile.am index 70ea355..042ae05 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -199,6 +199,7 @@ app-layer-tls.c app-layer-tls.h \ app-layer-smb.c app-layer-smb.h \ app-layer-smb2.c app-layer-smb2.h \ app-layer-dcerpc.c app-layer-dcerpc.h \ +app-layer-dcerpc-udp.c app-layer-dcerpc-udp.h \ app-layer-ftp.c app-layer-ftp.h \ app-layer-ssl.c app-layer-ssl.h \ defrag.c defrag.h \ diff --git a/src/app-layer-dcerpc-common.h b/src/app-layer-dcerpc-common.h index 9f54286..3713d7e 100644 --- a/src/app-layer-dcerpc-common.h +++ b/src/app-layer-dcerpc-common.h @@ -107,6 +107,30 @@ typedef struct DCERPCHdr_ { #define DCERPC_HDR_LEN 16 +typedef struct DCERPCHdrUdp_ { + uint8_t rpc_vers; /* 4 RPC protocol major version (4 LSB only)*/ + uint8_t type; /* Packet type (5 LSB only) */ + uint8_t flags1; /* Packet flags */ + uint8_t flags2; /* Packet flags */ + uint8_t drep[3]; /* Data representation format label */ + uint8_t serial_hi; /* High byte of serial number */ + uint8_t objectuuid[16]; + uint8_t interfaceuuid[16]; + uint8_t activityuuid[16]; + uint32_t server_boot;/* Server boot time */ + uint32_t if_vers; /* Interface version */ + uint32_t seqnum; /* Sequence number */ + uint16_t opnum; /* Operation number */ + uint16_t ihint; /* Interface hint */ + uint16_t ahint; /* Activity hint */ + uint16_t fraglen; /* Length of packet body */ + uint16_t fragnum; /* Fragment number */ + uint8_t auth_proto; /* Authentication protocol identifier*/ + uint8_t serial_lo; /* Low byte of serial number */ +}DCERPCHdrUdp; + +#define DCERPC_UDP_HDR_LEN 80 + typedef struct DCERPCUuidEntry_ { uint16_t ctxid; uint16_t result; @@ -161,6 +185,17 @@ typedef struct DCERPC_ { uint16_t transaction_id; } DCERPC; +typedef struct DCERPCUDP_ { + DCERPCHdrUdp dcerpchdrudp; + DCERPCBindBindAck dcerpcbindbindack; + DCERPCRequest dcerpcrequest; + DCERPCResponse dcerpcresponse; + uint16_t bytesprocessed; + uint16_t fraglenleft; + uint8_t *frag_data; + DCERPCUuidEntry *uuid_entry; + TAILQ_HEAD(, uuid_entry) uuid_list; +}DCERPCUDP; /** First fragment */ #define PFC_FIRST_FRAG 0x01 diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c index 9d2cfb9..2bef7f1 100644 --- a/src/app-layer-detect-proto.c +++ b/src/app-layer-detect-proto.c @@ -411,9 +411,9 @@ void AppLayerDetectProtoThreadInit(void) { AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOCLIENT); AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOSERVER); - /** SMB2 */ - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 4, 4, STREAM_TOCLIENT); - AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 4, 4, STREAM_TOSERVER); + /** DCERPC */ + AlpProtoAdd(&alp_proto_ctx, IPPROTO_UDP, ALPROTO_DCERPC_UDP, "|04 00|", 2, 0, STREAM_TOCLIENT); + AlpProtoAdd(&alp_proto_ctx, IPPROTO_UDP, ALPROTO_DCERPC_UDP, "|04 00|", 2, 0, STREAM_TOSERVER); /** DCERPC */ AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_DCERPC, "|05 00|", 2, 0, STREAM_TOCLIENT); diff --git a/src/app-layer-protos.h b/src/app-layer-protos.h index 421a6c0..77045d8 100644 --- a/src/app-layer-protos.h +++ b/src/app-layer-protos.h @@ -38,6 +38,7 @@ enum { ALPROTO_SMB, ALPROTO_SMB2, ALPROTO_DCERPC, + ALPROTO_DCERPC_UDP, #ifdef UNITTESTS ALPROTO_TEST, #endif /* UNITESTS */ diff --git a/src/suricata.c b/src/suricata.c index 6950703..ccdb414 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -100,6 +100,7 @@ #include "app-layer-tls.h" #include "app-layer-smb.h" #include "app-layer-dcerpc.h" +#include "app-layer-dcerpc-udp.h" #include "app-layer-htp.h" #include "app-layer-ftp.h" #include "app-layer-ssl.h" @@ -803,6 +804,7 @@ int main(int argc, char **argv) RegisterTLSParsers(); RegisterSMBParsers(); RegisterDCERPCParsers(); + RegisterDCERPCUDPParsers(); RegisterFTPParsers(); RegisterSSLParsers(); AppLayerParsersInitPostProcess(); @@ -843,6 +845,7 @@ int main(int argc, char **argv) TLSParserRegisterTests(); SMBParserRegisterTests(); DCERPCParserRegisterTests(); + DCERPCUDPParserRegisterTests(); FTPParserRegisterTests(); DecodeRawRegisterTests(); DecodePPPOERegisterTests(); -- 1.7.0.1