suricata
app-layer-dcerpc-common.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Kirby Kuehl <kkuehl@gmail.com>
22  */
23 
24 #ifndef __APP_LAYER_DCERPC_COMMON_H__
25 #define __APP_LAYER_DCERPC_COMMON_H__
26 
27 #include "app-layer-protos.h"
28 #include "app-layer-parser.h"
29 #include "flow.h"
30 #include "queue.h"
31 #include "util-byte.h"
32 
33 void RegisterDCERPCParsers(void);
34 void DCERPCParserTests(void);
35 void DCERPCParserRegisterTests(void);
36 
37 // http://www.opengroup.org/onlinepubs/9629399/chap12.htm#tagcjh_17_06
38 #define REQUEST 0
39 #define PING 1
40 #define RESPONSE 2
41 #define FAULT 3
42 #define WORKING 4
43 #define NOCALL 5
44 #define REJECT 6
45 #define ACK 7
46 #define CL_CANCEL 8
47 #define FACK 9
48 #define CANCEL_ACK 10
49 #define BIND 11
50 #define BIND_ACK 12
51 #define BIND_NAK 13
52 #define ALTER_CONTEXT 14
53 #define ALTER_CONTEXT_RESP 15
54 #define SHUTDOWN 17
55 #define CO_CANCEL 18
56 #define ORPHANED 19
57 #if 0
58 typedef struct {
59  uint8_t rpc_vers; /* 4 RPC protocol major version (4 LSB only)*/
60  uint8_t ptype; /* Packet type (5 LSB only) */
61  uint8_t flags1; /* Packet flags */
62  uint8_t flags2; /* Packet flags */
63  uint8_t drep[3]; /* Data representation format label */
64  uint8_t serial_hi; /* High byte of serial number */
65  uuid_t object; /* Object identifier */
66  uuid_t if_id; /* Interface identifier */
67  uuid_t act_id; /* Activity identifier */
68  unsigned long server_boot;/* Server boot time */
69  unsigned long if_vers; /* Interface version */
70  unsigned long seqnum; /* Sequence number */
71  unsigned short opnum; /* Operation number */
72  unsigned short ihint; /* Interface hint */
73  unsigned short ahint; /* Activity hint */
74  unsigned short len; /* Length of packet body */
75  unsigned short fragnum; /* Fragment number */
76  unsigned small auth_proto; /* Authentication protocol identifier*/
77  unsigned small serial_lo; /* Low byte of serial number */
78 } dc_rpc_cl_pkt_hdr_t;
79 #endif
80 
81 #define RESERVED_01 0x01
82 #define LASTFRAG 0x02
83 #define FRAG 0x04
84 #define NOFACK 0x08
85 #define MAYBE 0x10
86 #define IDEMPOTENT 0x20
87 #define BROADCAST 0x40
88 #define RESERVED_80 0x80
89 
90 #define CANCEL_PENDING 0x02
91 #define RESERVED_04 0x04
92 #define RESERVED_10 0x10
93 #define RESERVED_20 0x20
94 #define RESERVED_40 0x40
95 #define RESERVED_80 0x80
96 
97 typedef struct DCERPCHdr_ {
98  uint8_t rpc_vers; /**< 00:01 RPC version should be 5 */
99  uint8_t rpc_vers_minor; /**< 01:01 minor version */
100  uint8_t type; /**< 02:01 packet type */
101  uint8_t pfc_flags; /**< 03:01 flags (see PFC_... ) */
102  uint8_t packed_drep[4]; /**< 04:04 NDR data representation format label */
103  uint16_t frag_length; /**< 08:02 total length of fragment */
104  uint16_t auth_length; /**< 10:02 length of auth_value */
105  uint32_t call_id; /**< 12:04 call identifier */
106 } DCERPCHdr;
107 
108 #define DCERPC_HDR_LEN 16
109 
110 typedef struct DCERPCHdrUdp_ {
111  uint8_t rpc_vers; /**< 4 RPC protocol major version (4 LSB only)*/
112  uint8_t type; /**< Packet type (5 LSB only) */
113  uint8_t flags1; /**< Packet flags */
114  uint8_t flags2; /**< Packet flags */
115  uint8_t drep[3]; /**< Data representation format label */
116  uint8_t serial_hi; /**< High byte of serial number */
117  uint8_t objectuuid[16];
118  uint8_t interfaceuuid[16];
119  uint8_t activityuuid[16];
120  uint32_t server_boot; /**< Server boot time */
121  uint32_t if_vers; /**< Interface version */
122  uint32_t seqnum; /**< Sequence number */
123  uint16_t opnum; /**< Operation number */
124  uint16_t ihint; /**< Interface hint */
125  uint16_t ahint; /**< Activity hint */
126  uint16_t fraglen; /**< Length of packet body */
127  uint16_t fragnum; /**< Fragment number */
128  uint8_t auth_proto; /**< Authentication protocol identifier*/
129  uint8_t serial_lo; /**< Low byte of serial number */
130 } DCERPCHdrUdp;
131 
132 #define DCERPC_UDP_HDR_LEN 80
133 
134 #define DCERPC_UUID_ENTRY_FLAG_FF 0x0001 /**< FIRST flag set on the packet
135  that contained this uuid entry */
136 
137 typedef struct DCERPCUuidEntry_ {
138  uint16_t ctxid;
139  uint16_t internal_id;
140  uint16_t result;
141  uint8_t uuid[16];
142  uint16_t version;
143  uint16_t versionminor;
144  uint16_t flags; /**< DCERPC_UUID_ENTRY_FLAG_* flags */
147 
148 typedef TAILQ_HEAD(DCERPCUuidEntryList_, DCERPCUuidEntry_) DCERPCUuidEntryList;
149 
150 typedef struct DCERPCBindBindAck_ {
151  uint8_t numctxitems;
152  uint8_t numctxitemsleft;
153  uint8_t ctxbytesprocessed;
154  uint16_t ctxid;
155  uint8_t uuid[16];
156  uint16_t version;
157  uint16_t versionminor;
158  DCERPCUuidEntry *uuid_entry;
159  DCERPCUuidEntryList uuid_list;
160  /* the interface uuids that the server has accepted */
161  DCERPCUuidEntryList accepted_uuid_list;
162  uint16_t uuid_internal_id;
163  uint16_t secondaryaddrlen;
164  uint16_t secondaryaddrlenleft;
165  uint16_t result;
167 
168 typedef struct DCERPCRequest_ {
169  uint16_t ctxid;
170  uint16_t opnum;
171  /* holds the stub data for the request */
172  uint8_t *stub_data_buffer;
173  /* length of the above buffer */
174  uint32_t stub_data_buffer_len;
175  uint8_t first_request_seen;
176  bool stub_data_buffer_reset;
178 
179 typedef struct DCERPCResponse_ {
180  /* holds the stub data for the response */
181  uint8_t *stub_data_buffer;
182  /* length of the above buffer */
183  uint32_t stub_data_buffer_len;
184  bool stub_data_buffer_reset;
186 
187 typedef struct DCERPC_ {
188  DCERPCHdr dcerpchdr;
189  DCERPCBindBindAck dcerpcbindbindack;
190  DCERPCRequest dcerpcrequest;
191  DCERPCResponse dcerpcresponse;
192  uint16_t bytesprocessed;
193  uint8_t pad;
194  uint16_t padleft;
195  uint16_t transaction_id;
197 
198 typedef struct DCERPCUDP_ {
199  DCERPCHdrUdp dcerpchdrudp;
200  DCERPCBindBindAck dcerpcbindbindack;
201  DCERPCRequest dcerpcrequest;
202  DCERPCResponse dcerpcresponse;
203  uint16_t bytesprocessed;
204  uint16_t fraglenleft;
205  uint8_t *frag_data;
206  DCERPCUuidEntry *uuid_entry;
207  TAILQ_HEAD(, uuid_entry) uuid_list;
208 } DCERPCUDP;
209 
210 /** First fragment */
211 #define PFC_FIRST_FRAG 0x01
212 /** Last fragment */
213 #define PFC_LAST_FRAG 0x02
214 /** Cancel was pending at sender */
215 #define PFC_PENDING_CANCEL 0x04
216 #define PFC_RESERVED_1 0x08
217 /** supports concurrent multiplexing of a single connection. */
218 #define PFC_CONC_MPX 0x10
219 /** only meaningful on `fault' packet; if true, guaranteed
220  * call did not execute. */
221 #define PFC_DID_NOT_EXECUTE 0x20
222 /** `maybe' call semantics requested */
223 #define PFC_MAYBE 0x40
224 /** if true, a non-nil object UUID was specified in the handle, and
225  * is present in the optional object field. If false, the object field
226  * is omitted. */
227 #define PFC_OBJECT_UUID 0x80
229 #define REASON_NOT_SPECIFIED 0
230 #define TEMPORARY_CONGESTION 1
231 #define LOCAL_LIMIT_EXCEEDED 2
232 #define CALLED_PADDR_UNKNOWN 3 /* not used */
233 #define PROTOCOL_VERSION_NOT_SUPPORTED 4
234 #define DEFAULT_CONTEXT_NOT_SUPPORTED 5 /* not used */
235 #define USER_DATA_NOT_READABLE 6 /* not used */
236 #define NO_PSAP_AVAILABLE 7 /* not used */
238 int32_t DCERPCParser(DCERPC *, const uint8_t *, uint32_t);
239 void hexdump(const void *buf, size_t len);
240 void printUUID(const char *type, DCERPCUuidEntry *uuid);
241 
242 #endif /* __APP_LAYER_DCERPC_COMMON_H__ */
243 
uint16_t flags
struct HtpBodyChunk_ * next
uint16_t pad
void DCERPCParserRegisterTests(void)
struct DCERPCRequest_ DCERPCRequest
struct DCERPC_ DCERPC
void DCERPCParserTests(void)
struct DCERPCHdrUdp_ DCERPCHdrUdp
uint8_t type
void hexdump(const void *buf, size_t len)
struct DCERPCHdr_ DCERPCHdr
struct DCERPCBindBindAck_ DCERPCBindBindAck
void printUUID(const char *type, DCERPCUuidEntry *uuid)
printUUID function used to print UUID, Major and Minor Version Number and if it was Accepted or Rejec...
struct DCERPCResponse_ DCERPCResponse
uint8_t version
Definition: decode-gre.h:405
#define TAILQ_ENTRY(type)
Definition: queue.h:330
typedef TAILQ_HEAD(DCERPCUuidEntryList_, DCERPCUuidEntry_) DCERPCUuidEntryList
void RegisterDCERPCParsers(void)
int32_t DCERPCParser(DCERPC *, const uint8_t *, uint32_t)
uint8_t len