📄 dce2_event.c
字号:
/**************************************************************************** * Copyright (C) 2008-2008 Sourcefire,Inc * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or * distribute this program under any other version of the GNU General * Public License. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** * Handles processing of events generated by the preprocessor. * * 8/17/2008 - Initial implementation ... Todd Wease <twease@sourcefire.com> * ****************************************************************************/#include "dce2_event.h"#include "dce2_memory.h"#include "dce2_config.h"#include "smb.h"#include "dcerpc.h"#include "sf_dynamic_preprocessor.h"#include <stdarg.h>#include <string.h>/******************************************************************** * Global variables ********************************************************************//* Used to print events and their arguments to. Each event gets * a buffer and 255 chars to print to. The reason for the multiple * buffers is that if multiple events fire, we don't want to overwrite * one before it's been written via an output plugin. Only one event * type per session is ever logged. */static char dce2_event_bufs[DCE2_EVENT__MAX][256];/* Used to hold event information */static DCE2_EventNode dce2_events[DCE2_EVENT__MAX];/* Used for matching a command string to a command code */char *dce2_smb_coms[256];/* Used for matching a pdu string to a pdu type */char *dce2_pdu_types[DCERPC_PDU_TYPE__MAX];/******************************************************************** * Extern variables ********************************************************************/extern DynamicPreprocessorData _dpd;/****************************************************************** * Function: DCE2_EventsInit() * * Initializes global data. * * Arguments: None * * Returns: None * ******************************************************************/ void DCE2_EventsInit(void){ DCE2_Event event; char gname[100]; unsigned int i; static const DCE2_EventNode events[DCE2_EVENT__MAX] = { { DCE2_EVENT_FLAG__NONE, DCE2_EVENT__NO_EVENT, "Have to use this because can't have an event sid of zero" }, { DCE2_EVENT_FLAG__MEMCAP, DCE2_EVENT__MEMCAP, "Memory cap exceeded" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BAD_NBSS_TYPE, "SMB - Bad NetBIOS Session Service session type" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BAD_TYPE, "SMB - Bad SMB message type" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BAD_ID, "SMB - Bad SMB Id (not \\xffSMB)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BAD_WCT, "SMB - %s: Bad word count: %u" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BAD_BCC, "SMB - %s: Bad byte count: %u" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BAD_FORMAT, "SMB - %s: Bad format type: %s" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BAD_OFF, "SMB - %s: Bad offset: %p not between %p and %p" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_TDCNT_ZERO, "SMB - %s: Zero total data count" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_NB_LT_SMBHDR, "SMB - NetBIOS data length (%u) less than SMB header length (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_NB_LT_COM, "SMB - %s: Remaining NetBIOS data length (%u) less than command length (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_NB_LT_BCC, "SMB - %s: Remaining NetBIOS data length (%u) less than command byte count (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_NB_LT_DSIZE, "SMB - %s: Remaining NetBIOS data length (%u) less than command data size (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_TDCNT_LT_DSIZE, "SMB - %s: Remaining total data count (%u) less than this command data size (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_DSENT_GT_TDCNT, "SMB - %s: Total data sent (%u) greater than command total data expected (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BCC_LT_DSIZE, "SMB - %s: Byte count (%u) less than command data size (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_INVALID_DSIZE, "SMB - %s: Invalid command data size (%u) for byte count (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_EXCESSIVE_TREE_CONNECTS, "SMB - %s: Excessive Tree Connect requests (>%u) with pending Tree Connect responses" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_EXCESSIVE_READS, "SMB - %s: Excessive Read requests (>%u) with pending Read responses" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_EXCESSIVE_CHAINING, "SMB - Excessive command chaining (>%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_MULT_CHAIN_SS, "SMB - Multiple chained login requests" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_MULT_CHAIN_TC, "SMB - Multiple chained tree connect requests" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_CHAIN_SS_LOGOFF, "SMB - Chained login followed by logoff" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_CHAIN_TC_TDIS, "SMB - Chained tree connect followed by tree disconnect" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_CHAIN_OPEN_CLOSE, "SMB - Chained open pipe followed by close pipe" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_INVALID_SHARE, "SMB - Invalid share access: %s" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_BAD_MAJ_VERSION, "Connection-oriented DCE/RPC - Invalid major version: %u" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_BAD_MIN_VERSION, "Connection-oriented DCE/RPC - Invalid minor version: %u" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_BAD_PDU_TYPE, "Connection-oriented DCE/RPC - Invalid pdu type: 0x%02x" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_FLEN_LT_HDR, "Connection-oriented DCE/RPC - Fragment length (%u) less than header size (%u)" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_FLEN_LT_SIZE, "Connection-oriented DCE/RPC - %s: Remaining fragment length (%u) less than size needed (%u)" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_ZERO_TSYNS, "Connection-oriented DCE/RPC - %s: No transfer syntaxes specified" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_FRAG_LT_MAX_XMIT_FRAG, "Connection-oriented DCE/RPC - %s: Fragment length on non-last fragment (%u) less than " "maximum negotiated fragment transmit size for client (%u)" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_FRAG_GT_MAX_XMIT_FRAG, "Connection-oriented DCE/RPC - %s: Fragment length (%u) greater than " "maximum negotiated fragment transmit size (%u)" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_ALTER_CHANGE_BYTE_ORDER, "Connection-oriented DCE/RPC - Alter Context byte order different from Bind" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_FRAG_DIFF_CALL_ID, "Connection-oriented DCE/RPC - Call id (%u) of non first/last fragment different " "from call id established for fragmented request (%u)" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_FRAG_DIFF_OPNUM, "Connection-oriented DCE/RPC - Opnum (%u) of non first/last fragment different " "from opnum established for fragmented request (%u)" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_FRAG_DIFF_CTX_ID, "Connection-oriented DCE/RPC - Context id (%u) of non first/last fragment different " "from context id established for fragmented request (%u)" }, { DCE2_EVENT_FLAG__CL, DCE2_EVENT__CL_BAD_MAJ_VERSION, "Connection-less DCE/RPC - Invalid major version: %u" }, { DCE2_EVENT_FLAG__CL, DCE2_EVENT__CL_BAD_PDU_TYPE, "Connection-less DCE/RPC - Invalid pdu type: 0x%02x" },⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -