#include "app-layer-protos.h"
#include "app-layer-parser.h"
#include "flow.h"
#include "queue.h"
#include "util-byte.h"

Include dependency graph for app-layer-dcerpc-common.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures
struct	DCERPCHdr_

struct	DCERPCHdrUdp_

struct	DCERPCUuidEntry_

struct	DCERPCBindBindAck_

struct	DCERPCRequest_

struct	DCERPCResponse_

struct	DCERPC_

struct	DCERPCUDP_

Macros
#define	REQUEST 0

#define	PING 1

#define	RESPONSE 2

#define	FAULT 3

#define	WORKING 4

#define	NOCALL 5

#define	REJECT 6

#define	ACK 7

#define	CL_CANCEL 8

#define	FACK 9

#define	CANCEL_ACK 10

#define	BIND 11

#define	BIND_ACK 12

#define	BIND_NAK 13

#define	ALTER_CONTEXT 14

#define	ALTER_CONTEXT_RESP 15

#define	SHUTDOWN 17

#define	CO_CANCEL 18

#define	ORPHANED 19

#define	RESERVED_01 0x01

#define	LASTFRAG 0x02

#define	FRAG 0x04

#define	NOFACK 0x08

#define	MAYBE 0x10

#define	IDEMPOTENT 0x20

#define	BROADCAST 0x40

#define	RESERVED_80 0x80

#define	CANCEL_PENDING 0x02

#define	RESERVED_04 0x04

#define	RESERVED_10 0x10

#define	RESERVED_20 0x20

#define	RESERVED_40 0x40

#define	RESERVED_80 0x80

#define	DCERPC_HDR_LEN 16

#define	DCERPC_UDP_HDR_LEN 80

#define	DCERPC_UUID_ENTRY_FLAG_FF 0x0001

#define	PFC_FIRST_FRAG 0x01

#define	PFC_LAST_FRAG 0x02

#define	PFC_PENDING_CANCEL 0x04

#define	PFC_RESERVED_1 0x08

#define	PFC_CONC_MPX 0x10

#define	PFC_DID_NOT_EXECUTE 0x20

#define	PFC_MAYBE 0x40

#define	PFC_OBJECT_UUID 0x80

#define	REASON_NOT_SPECIFIED 0

#define	TEMPORARY_CONGESTION 1

#define	LOCAL_LIMIT_EXCEEDED 2

#define	CALLED_PADDR_UNKNOWN 3 /* not used */

#define	PROTOCOL_VERSION_NOT_SUPPORTED 4

#define	DEFAULT_CONTEXT_NOT_SUPPORTED 5 /* not used */

#define	USER_DATA_NOT_READABLE 6 /* not used */

#define	NO_PSAP_AVAILABLE 7 /* not used */

Typedefs
typedef struct DCERPCHdr_	DCERPCHdr

typedef struct DCERPCHdrUdp_	DCERPCHdrUdp

typedef struct DCERPCUuidEntry_	DCERPCUuidEntry

typedef struct DCERPCBindBindAck_	DCERPCBindBindAck

typedef struct DCERPCRequest_	DCERPCRequest

typedef struct DCERPCResponse_	DCERPCResponse

typedef struct DCERPC_	DCERPC

typedef struct DCERPCUDP_	DCERPCUDP

Functions
void	RegisterDCERPCParsers (void)

void	DCERPCParserTests (void)

void	DCERPCParserRegisterTests (void)

typedef	TAILQ_HEAD (DCERPCUuidEntryList_, DCERPCUuidEntry_) DCERPCUuidEntryList

int32_t	DCERPCParser (DCERPC , uint8_t , uint32_t)

void	hexdump (const void *buf, size_t len)

void	printUUID (const char type, DCERPCUuidEntry uuid)
	printUUID function used to print UUID, Major and Minor Version Number and if it was Accepted or Rejected in the BIND_ACK. More...

Detailed Description

Author: Kirby Kuehl kkueh.nosp@m.l@gm.nosp@m.ail.c.nosp@m.om

Definition in file app-layer-dcerpc-common.h.

Macro Definition Documentation

#define ACK 7

Definition at line 45 of file app-layer-dcerpc-common.h.

#define ALTER_CONTEXT 14

Definition at line 52 of file app-layer-dcerpc-common.h.

Referenced by DCERPCParser().

#define ALTER_CONTEXT_RESP 15

Definition at line 53 of file app-layer-dcerpc-common.h.

Referenced by DCERPCParser().

#define BIND 11

Definition at line 49 of file app-layer-dcerpc-common.h.

Referenced by DCERPCParser(), printUUID(), and RegisterDCERPCParsers().

#define BIND_ACK 12

Definition at line 50 of file app-layer-dcerpc-common.h.

Referenced by DCERPCParser(), and RegisterDCERPCParsers().

#define BIND_NAK 13

Definition at line 51 of file app-layer-dcerpc-common.h.

#define BROADCAST 0x40

Definition at line 87 of file app-layer-dcerpc-common.h.

#define CALLED_PADDR_UNKNOWN 3 /* not used */

Definition at line 233 of file app-layer-dcerpc-common.h.

#define CANCEL_ACK 10

Definition at line 48 of file app-layer-dcerpc-common.h.

#define CANCEL_PENDING 0x02

Definition at line 90 of file app-layer-dcerpc-common.h.

#define CL_CANCEL 8

Definition at line 46 of file app-layer-dcerpc-common.h.

#define CO_CANCEL 18

Definition at line 55 of file app-layer-dcerpc-common.h.

#define DCERPC_HDR_LEN 16

Definition at line 108 of file app-layer-dcerpc-common.h.

Referenced by DCERPCParser(), and printUUID().

#define DCERPC_UDP_HDR_LEN 80

Definition at line 132 of file app-layer-dcerpc-common.h.

#define DCERPC_UUID_ENTRY_FLAG_FF 0x0001

FIRST flag set on the packet that contained this uuid entry

Definition at line 134 of file app-layer-dcerpc-common.h.

Referenced by DetectDceIfaceRegister(), and printUUID().

#define DEFAULT_CONTEXT_NOT_SUPPORTED 5 /* not used */

Definition at line 235 of file app-layer-dcerpc-common.h.

#define FACK 9

Definition at line 47 of file app-layer-dcerpc-common.h.

#define FAULT 3

Definition at line 41 of file app-layer-dcerpc-common.h.

#define FRAG 0x04

Definition at line 83 of file app-layer-dcerpc-common.h.

#define IDEMPOTENT 0x20

Definition at line 86 of file app-layer-dcerpc-common.h.

#define LASTFRAG 0x02

Definition at line 82 of file app-layer-dcerpc-common.h.

#define LOCAL_LIMIT_EXCEEDED 2

Definition at line 232 of file app-layer-dcerpc-common.h.

#define MAYBE 0x10

Definition at line 85 of file app-layer-dcerpc-common.h.

#define NO_PSAP_AVAILABLE 7 /* not used */

Definition at line 237 of file app-layer-dcerpc-common.h.

#define NOCALL 5

Definition at line 43 of file app-layer-dcerpc-common.h.

#define NOFACK 0x08

Definition at line 84 of file app-layer-dcerpc-common.h.

#define ORPHANED 19

Definition at line 56 of file app-layer-dcerpc-common.h.

#define PFC_CONC_MPX 0x10

supports concurrent multiplexing of a single connection.

Definition at line 219 of file app-layer-dcerpc-common.h.

#define PFC_DID_NOT_EXECUTE 0x20

only meaningful on `fault' packet; if true, guaranteed call did not execute.

Definition at line 222 of file app-layer-dcerpc-common.h.

#define PFC_FIRST_FRAG 0x01

First fragment

Definition at line 212 of file app-layer-dcerpc-common.h.

Referenced by printUUID().

#define PFC_LAST_FRAG 0x02

Last fragment

Definition at line 214 of file app-layer-dcerpc-common.h.

Referenced by printUUID().

#define PFC_MAYBE 0x40

`maybe' call semantics requested

Definition at line 224 of file app-layer-dcerpc-common.h.

#define PFC_OBJECT_UUID 0x80

if true, a non-nil object UUID was specified in the handle, and is present in the optional object field. If false, the object field is omitted.

Definition at line 228 of file app-layer-dcerpc-common.h.

#define PFC_PENDING_CANCEL 0x04

Cancel was pending at sender

Definition at line 216 of file app-layer-dcerpc-common.h.

#define PFC_RESERVED_1 0x08

Definition at line 217 of file app-layer-dcerpc-common.h.

#define PING 1

Definition at line 39 of file app-layer-dcerpc-common.h.

#define PROTOCOL_VERSION_NOT_SUPPORTED 4

Definition at line 234 of file app-layer-dcerpc-common.h.

#define REASON_NOT_SPECIFIED 0

Definition at line 230 of file app-layer-dcerpc-common.h.

#define REJECT 6

Definition at line 44 of file app-layer-dcerpc-common.h.

#define REQUEST 0

Definition at line 38 of file app-layer-dcerpc-common.h.

Referenced by DCERPCParser(), DetectDceIfaceRegister(), printUUID(), and RegisterDCERPCParsers().

#define RESERVED_01 0x01

Definition at line 81 of file app-layer-dcerpc-common.h.

#define RESERVED_04 0x04

Definition at line 91 of file app-layer-dcerpc-common.h.

#define RESERVED_10 0x10

Definition at line 92 of file app-layer-dcerpc-common.h.

#define RESERVED_20 0x20

Definition at line 93 of file app-layer-dcerpc-common.h.

#define RESERVED_40 0x40

Definition at line 94 of file app-layer-dcerpc-common.h.

#define RESERVED_80 0x80

Definition at line 95 of file app-layer-dcerpc-common.h.

#define RESERVED_80 0x80

Definition at line 95 of file app-layer-dcerpc-common.h.

#define RESPONSE 2

Definition at line 40 of file app-layer-dcerpc-common.h.

Referenced by DCERPCParser(), DetectDceIfaceRegister(), and printUUID().

#define SHUTDOWN 17

Definition at line 54 of file app-layer-dcerpc-common.h.

#define TEMPORARY_CONGESTION 1

Definition at line 231 of file app-layer-dcerpc-common.h.

#define USER_DATA_NOT_READABLE 6 /* not used */

Definition at line 236 of file app-layer-dcerpc-common.h.

#define WORKING 4

Definition at line 42 of file app-layer-dcerpc-common.h.

Typedef Documentation

typedef struct DCERPC_ DCERPC

typedef struct DCERPCBindBindAck_ DCERPCBindBindAck

typedef struct DCERPCHdr_ DCERPCHdr

typedef struct DCERPCHdrUdp_ DCERPCHdrUdp

typedef struct DCERPCRequest_ DCERPCRequest

typedef struct DCERPCResponse_ DCERPCResponse

typedef struct DCERPCUDP_ DCERPCUDP

typedef struct DCERPCUuidEntry_ DCERPCUuidEntry

Function Documentation

int32_t DCERPCParser	(	DCERPC *	dcerpc,
		uint8_t *	input,
		uint32_t	input_len
	)

Todo:

Currently the parser is very generic. Enable target based reassembly.
- Disable reiniting tailq for mid and last bind/alter_context pdus.
- Use a PM to search for subsequent 05 00 when we see an inconsistent pdu. This should be done for each platform based on how it handles a condition where it has receives a segment with 2 pdus, while the first pdu in the segment is corrupt.

Definition at line 1458 of file app-layer-dcerpc.c.

References ALTER_CONTEXT, ALTER_CONTEXT_RESP, APP_LAYER_PARSER_EOF, AppLayerParserStateIssetFlag(), DCERPCHdr_::auth_length, BIND, BIND_ACK, DCERPC_::bytesprocessed, DCERPCHdr_::call_id, DCERPCBindBindAck_::ctxbytesprocessed, DCERPCState_::data_needed_for_dir, DCERPCState_::dcerpc, DCERPC_HDR_LEN, DCERPC_::dcerpcbindbindack, DCERPC_::dcerpchdr, DCERPC_::dcerpcrequest, DCERPC_::dcerpcresponse, flags, DCERPCHdr_::frag_length, DCERPCBindBindAck_::numctxitems, DCERPCBindBindAck_::numctxitemsleft, DCERPCRequest_::opnum, DCERPCHdr_::packed_drep, DCERPC_::pad, DCERPC_::padleft, DCERPCHdr_::pfc_flags, REQUEST, RESPONSE, DCERPCHdr_::rpc_vers, DCERPCHdr_::rpc_vers_minor, SCEnter, SCLogDebug, SCReturnInt, DCERPCBindBindAck_::secondaryaddrlen, DCERPCRequest_::stub_data_buffer_reset, DCERPCResponse_::stub_data_buffer_reset, DCERPC_::transaction_id, and DCERPCHdr_::type.