diff options
| author | rafaliusz <rafaliusz@o2.pl> | 2020-12-08 15:48:53 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-12-08 15:48:53 +0100 |
| commit | 1ecc6d323eff8f5d7990e88675c1cc99c4eadb79 (patch) | |
| tree | 67d4bd0bae4fcb683628999ff8439febc6fb8a21 /src/lib/protocols/dcerpc.c | |
| parent | 860ef58aceed8dd8907f16d026c58345f1d84fb3 (diff) | |
Add a connectionless DCE/RPC detection (#1078)
* Add connectionless DCE/RPC detection
* Add DCE/RPC pcap file as well as its test result
Co-authored-by: rafal <rafal.burzynski@cryptomage.com>
Diffstat (limited to 'src/lib/protocols/dcerpc.c')
| -rw-r--r-- | src/lib/protocols/dcerpc.c | 42 |
1 files changed, 34 insertions, 8 deletions
diff --git a/src/lib/protocols/dcerpc.c b/src/lib/protocols/dcerpc.c index ae1266a01..004351e14 100644 --- a/src/lib/protocols/dcerpc.c +++ b/src/lib/protocols/dcerpc.c @@ -26,7 +26,7 @@ #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DCERPC #include "ndpi_api.h" - +#include <stdbool.h> static void ndpi_int_dcerpc_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -34,18 +34,45 @@ static void ndpi_int_dcerpc_add_connection(struct ndpi_detection_module_struct ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DCERPC, NDPI_PROTOCOL_UNKNOWN); } -void ndpi_search_dcerpc(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +bool is_connection_oriented_dcerpc(struct ndpi_packet_struct *packet, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - - NDPI_LOG_DBG(ndpi_struct, "search DCERPC\n"); - if((packet->tcp != NULL) && (packet->payload_packet_len >= 64) && (packet->payload[0] == 0x05) /* version 5 */ && (packet->payload[2] < 16) /* Packet type */ && (((packet->payload[9]<<8) | packet->payload[8]) == packet->payload_packet_len) /* Packet Length */ ) { + return true; + } + return false; +} + +bool is_connectionless_dcerpc(struct ndpi_packet_struct *packet, struct ndpi_flow_struct *flow) +{ + if (packet->udp == NULL) + return false; + if (packet->payload_packet_len < 80) + return false; + if (packet->payload[0] != 0x04) /* type must be equal to 4 */ + return false; + if (packet->payload[1] > 10) /* must be <= CANCEL ACK or it's not connectionless DCE/RPC */ + return false; + if (packet->payload[3] & 0xFC) /* flags2: bit 3:8 are reserved for future use and must be set to 0 */ + return false; + if (packet->payload[4] & 0xEE) /* neither big endian nor little endian */ + return false; + if (packet->payload[5] > 3) /* invalid floating point type */ + return false; + + return true; +} + +void ndpi_search_dcerpc(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct *packet = &flow->packet; + + NDPI_LOG_DBG(ndpi_struct, "search DCERPC\n"); + if (is_connection_oriented_dcerpc(packet, flow) || is_connectionless_dcerpc(packet, flow)) { NDPI_LOG_INFO(ndpi_struct, "found DCERPC\n"); ndpi_int_dcerpc_add_connection(ndpi_struct, flow); return; @@ -61,9 +88,8 @@ void init_dcerpc_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i ndpi_set_bitmask_protocol_detection("DCE_RPC", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_DCERPC, ndpi_search_dcerpc, - NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); *id += 1; } - |