suricata
app-layer-dcerpc.c File Reference
#include "suricata-common.h"
#include "suricata.h"
#include "debug.h"
#include "decode.h"
#include "threads.h"
#include "util-print.h"
#include "util-pool.h"
#include "util-debug.h"
#include "flow-util.h"
#include "detect-engine-state.h"
#include "stream-tcp-private.h"
#include "stream-tcp-reassemble.h"
#include "stream-tcp.h"
#include "stream.h"
#include "app-layer-protos.h"
#include "app-layer-parser.h"
#include "app-layer.h"
#include "util-spm.h"
#include "util-unittest.h"
#include "app-layer-dcerpc.h"
Include dependency graph for app-layer-dcerpc.c:

Go to the source code of this file.

Enumerations

enum  {
  DCERPC_FIELD_NONE = 0, DCERPC_PARSE_DCERPC_HEADER, DCERPC_PARSE_DCERPC_BIND, DCERPC_PARSE_DCERPC_BIND_ACK,
  DCERPC_PARSE_DCERPC_REQUEST, DCERPC_FIELD_MAX
}
 

Functions

void DCERPCUuidListFree (DCERPCUuidEntryList *list)
 
void hexdump (const void *buf, size_t len)
 
void printUUID (const char *type, DCERPCUuidEntry *uuid)
 printUUID function used to print UUID, Major and Minor Version Number and if it was Accepted or Rejected in the BIND_ACK. More...
 
int32_t DCERPCParser (DCERPC *dcerpc, uint8_t *input, uint32_t input_len)
 
void DCERPCInit (DCERPC *dcerpc)
 
void DCERPCCleanup (DCERPC *dcerpc)
 
void RegisterDCERPCParsers (void)
 
void DCERPCParserRegisterTests (void)
 

Detailed Description

Enumeration Type Documentation

anonymous enum
Enumerator
DCERPC_FIELD_NONE 
DCERPC_PARSE_DCERPC_HEADER 
DCERPC_PARSE_DCERPC_BIND 
DCERPC_PARSE_DCERPC_BIND_ACK 
DCERPC_PARSE_DCERPC_REQUEST 
DCERPC_FIELD_MAX 

Definition at line 70 of file app-layer-dcerpc.c.

Function Documentation

void DCERPCInit ( DCERPC dcerpc)

Definition at line 1940 of file app-layer-dcerpc.c.

References DCERPCBindBindAck_::accepted_uuid_list, DCERPCState_::dcerpc, DCERPC_::dcerpcbindbindack, DCERPCInit(), SCCalloc, SCEnter, SCReturnPtr, TAILQ_INIT, DCERPC_::transaction_id, unlikely, and DCERPCBindBindAck_::uuid_list.

Referenced by DCERPCInit(), and isAndX().

Here is the call graph for this function:

Here is the caller graph for this function:

int32_t DCERPCParser ( DCERPC dcerpc,
uint8_t *  input,
uint32_t  input_len 
)
Todo:
  • Currently the parser is very generic. Enable target based reassembly.
    • Disable reiniting tailq for mid and last bind/alter_context pdus.
    • Use a PM to search for subsequent 05 00 when we see an inconsistent pdu. This should be done for each platform based on how it handles a condition where it has receives a segment with 2 pdus, while the first pdu in the segment is corrupt.

Definition at line 1458 of file app-layer-dcerpc.c.

References ALTER_CONTEXT, ALTER_CONTEXT_RESP, APP_LAYER_PARSER_EOF, AppLayerParserStateIssetFlag(), DCERPCHdr_::auth_length, BIND, BIND_ACK, DCERPC_::bytesprocessed, DCERPCHdr_::call_id, DCERPCBindBindAck_::ctxbytesprocessed, DCERPCState_::data_needed_for_dir, DCERPCState_::dcerpc, DCERPC_HDR_LEN, DCERPC_::dcerpcbindbindack, DCERPC_::dcerpchdr, DCERPC_::dcerpcrequest, DCERPC_::dcerpcresponse, flags, DCERPCHdr_::frag_length, DCERPCBindBindAck_::numctxitems, DCERPCBindBindAck_::numctxitemsleft, DCERPCRequest_::opnum, DCERPCHdr_::packed_drep, DCERPC_::pad, DCERPC_::padleft, DCERPCHdr_::pfc_flags, REQUEST, RESPONSE, DCERPCHdr_::rpc_vers, DCERPCHdr_::rpc_vers_minor, SCEnter, SCLogDebug, SCReturnInt, DCERPCBindBindAck_::secondaryaddrlen, DCERPCRequest_::stub_data_buffer_reset, DCERPCResponse_::stub_data_buffer_reset, DCERPC_::transaction_id, and DCERPCHdr_::type.

Here is the call graph for this function:

void DCERPCParserRegisterTests ( void  )

Definition at line 5071 of file app-layer-dcerpc.c.

References UtRegisterTest().

Referenced by RegisterDCERPCParsers().

Here is the call graph for this function:

Here is the caller graph for this function:

void DCERPCUuidListFree ( DCERPCUuidEntryList *  list)

Definition at line 1962 of file app-layer-dcerpc.c.

References next, SCFree, TAILQ_FIRST, and TAILQ_REMOVE.

Referenced by DCERPCCleanup(), and printUUID().

Here is the caller graph for this function:

void hexdump ( const void *  buf,
size_t  len 
)

Definition at line 83 of file app-layer-dcerpc.c.

References len, and strlcat().

Here is the call graph for this function:

void printUUID ( const char *  type,
DCERPCUuidEntry uuid 
)

printUUID function used to print UUID, Major and Minor Version Number and if it was Accepted or Rejected in the BIND_ACK.

Definition at line 146 of file app-layer-dcerpc.c.

References DCERPCBindBindAck_::accepted_uuid_list, DCERPCHdr_::auth_length, BIND, DCERPC_::bytesprocessed, DCERPCHdr_::call_id, DCERPCBindBindAck_::ctxbytesprocessed, DCERPCUuidEntry_::ctxid, DCERPCBindBindAck_::ctxid, DCERPCRequest_::ctxid, DCERPC_HDR_LEN, DCERPC_UUID_ENTRY_FLAG_FF, DCERPC_::dcerpcbindbindack, DCERPC_::dcerpchdr, DCERPC_::dcerpcrequest, DCERPC_::dcerpcresponse, DCERPCUuidListFree(), DCERPCRequest_::first_request_seen, DCERPCUuidEntry_::flags, DCERPCHdr_::frag_length, DCERPCUuidEntry_::internal_id, MIN, next, DCERPCBindBindAck_::numctxitems, DCERPCBindBindAck_::numctxitemsleft, DCERPCRequest_::opnum, DCERPCHdr_::packed_drep, DCERPC_::padleft, PFC_FIRST_FRAG, DCERPCHdr_::pfc_flags, PFC_LAST_FRAG, REQUEST, RESPONSE, DCERPCUuidEntry_::result, DCERPCBindBindAck_::result, DCERPCHdr_::rpc_vers, DCERPCHdr_::rpc_vers_minor, RunmodeIsUnittests(), SCByteSwap16, SCByteSwap32, SCCalloc, SCEnter, SCFree, SCLogDebug, SCLogDebugEnabled(), SCRealloc, SCReturnInt, SCReturnUInt, DCERPCBindBindAck_::secondaryaddrlen, DCERPCBindBindAck_::secondaryaddrlenleft, DCERPCRequest_::stub_data_buffer, DCERPCResponse_::stub_data_buffer, DCERPCRequest_::stub_data_buffer_len, DCERPCResponse_::stub_data_buffer_len, DCERPCRequest_::stub_data_buffer_reset, DCERPCResponse_::stub_data_buffer_reset, TAILQ_FOREACH, TAILQ_INSERT_HEAD, DCERPCHdr_::type, DCERPCUuidEntry_::uuid, DCERPCBindBindAck_::uuid, DCERPCBindBindAck_::uuid_entry, DCERPCBindBindAck_::uuid_internal_id, DCERPCBindBindAck_::uuid_list, DCERPCUuidEntry_::version, DCERPCBindBindAck_::version, DCERPCUuidEntry_::versionminor, and DCERPCBindBindAck_::versionminor.

Referenced by RegisterDCERPCParsers(), RegisterDCERPCUDPParsers(), and RegisterSMBParsers().

Here is the call graph for this function:

Here is the caller graph for this function:

void RegisterDCERPCParsers ( void  )

Definition at line 2058 of file app-layer-dcerpc.c.

References DCERPCBindBindAck_::accepted_uuid_list, Flow_::alproto, ALPROTO_DCERPC, Flow_::alstate, AppLayerParserConfParserEnabled(), AppLayerParserParse(), AppLayerParserRegisterDetectStateFuncs(), AppLayerParserRegisterGetStateProgressCompletionStatus(), AppLayerParserRegisterGetStateProgressFunc(), AppLayerParserRegisterGetTx(), AppLayerParserRegisterGetTxCnt(), AppLayerParserRegisterParser(), AppLayerParserRegisterParserAcceptableDataDirection(), AppLayerParserRegisterProtocolUnittests(), AppLayerParserRegisterStateFuncs(), AppLayerParserRegisterTxFreeFunc(), AppLayerParserThreadCtxAlloc(), AppLayerParserThreadCtxFree(), AppLayerProtoDetectConfProtoDetectionEnabled(), AppLayerProtoDetectRegisterProtocol(), BIND, BIND_ACK, DCERPC_::bytesprocessed, DCERPCBindBindAck_::ctxbytesprocessed, DCERPCUuidEntry_::ctxid, DCERPCState_::dcerpc, DCERPC_::dcerpcbindbindack, DCERPC_::dcerpchdr, DCERPCParserRegisterTests(), DCERPC_::dcerpcrequest, FAIL_IF, FAIL_IF_NOT, FAIL_IF_NULL, FLOW_DESTROY, FLOW_INITIALIZE, FLOWLOCK_UNLOCK, FLOWLOCK_WRLOCK, DCERPCHdr_::frag_length, DCERPCUuidEntry_::internal_id, m, next, DCERPCBindBindAck_::numctxitems, DCERPCBindBindAck_::numctxitemsleft, DCERPCRequest_::opnum, DCERPCHdr_::packed_drep, PASS, printUUID(), Flow_::proto, Flow_::protoctx, REQUEST, DCERPCHdr_::rpc_vers, SCLogInfo, STREAM_EOF, STREAM_START, STREAM_TOCLIENT, STREAM_TOSERVER, StreamTcpFreeConfig(), StreamTcpInitConfig(), DCERPCRequest_::stub_data_buffer, DCERPCRequest_::stub_data_buffer_len, TAILQ_FOREACH, TRUE, DCERPCHdr_::type, DCERPCUuidEntry_::uuid, and DCERPCBindBindAck_::uuid_list.

Referenced by AppLayerParserRegisterProtocolParsers(), and RegisterAllModules().

Here is the call graph for this function:

Here is the caller graph for this function: