dce2_event.c

snort2.8.4版本

        {
            DCE2_EVENT_FLAG__CL,
            DCE2_EVENT__CL_DATA_LT_HDR,
            "Connection-less DCE/RPC - Data length (%u) less than header size (%u)"
        },
        {
            DCE2_EVENT_FLAG__CL,
            DCE2_EVENT__CL_BAD_SEQ_NUM,
            "Connection-less DCE/RPC - %s: Bad sequence number"
        },
    };

    snprintf(gname, sizeof(gname) - 1, "(%s) ", DCE2_GNAME);
    gname[sizeof(gname) - 1] = '\0';

    for (event = 0; event < DCE2_EVENT__MAX; event++)
    {
        int size = strlen(gname) + strlen(events[event].format) + 1;

        /* This is a check to make sure all of the events in the array are
         * in the same order as the enum, so we index the right thing when
         * alerting - DO NOT REMOVE THIS CHECK */
        if (events[event].event != event)
            DCE2_Die("%s: DCE2_EventsInit(): Events are not in the right order.\n", DCE2_GNAME);

        dce2_events[event].format = (char *)DCE2_Alloc(size, DCE2_MEM_TYPE__INIT);
        if (dce2_events[event].format == NULL)
            DCE2_Die("%s: DCE2_EventsInit(): Out of memory.\n", DCE2_GNAME);

        dce2_events[event].format[size - 1] = '\0';
        snprintf(dce2_events[event].format, size, "%s%s", gname, events[event].format);
        if (dce2_events[event].format[size - 1] != '\0')
            DCE2_Die("%s: DCE2_EventsInit(): Event string truncated.\n", DCE2_GNAME);

        dce2_events[event].eflag = events[event].eflag;
        dce2_events[event].event = events[event].event;
    }

    for (i = 0; i < (sizeof(dce2_smb_coms) / sizeof(char *)); i++)
    {
        char *com;

        switch (i)
        {
            case SMB_COM_OPEN:
                com = "Open";
                break;
            case SMB_COM_CLOSE:
                com = "Close";
                break;
            case SMB_COM_READ:
                com = "Read";
                break;
            case SMB_COM_WRITE:
                com = "Write";
                break;
            case SMB_COM_READ_BLOCK_RAW:
                com = "Read Block Raw";
                break;
            case SMB_COM_WRITE_BLOCK_RAW:
                com = "Write Block Raw";
                break;
            case SMB_COM_WRITE_COMPLETE:
                com = "Write Complete";
                break;
            case SMB_COM_TRANS:
                com = "Transaction";
                break;
            case SMB_COM_TRANS_SEC:
                com = "Transaction Secondary";
                break;
            case SMB_COM_WRITE_AND_CLOSE:
                com = "Write and Close";
                break;
            case SMB_COM_OPEN_ANDX:
                com = "Open AndX";
                break;
            case SMB_COM_READ_ANDX:
                com = "Read AndX";
                break;
            case SMB_COM_WRITE_ANDX:
                com = "Write AndX";
                break;
            case SMB_COM_NT_CREATE_ANDX:
                com = "Nt Create AndX";
                break;
            case SMB_COM_TREE_CON:
                com = "Tree Connect";
                break;
            case SMB_COM_TREE_DIS:
                com = "Tree Disconnect";
                break;
            case SMB_COM_NEGPROT:
                com = "Negotiate Protocol";
                break;
            case SMB_COM_SESS_SETUP_ANDX:
                com = "Session Setup AndX";
                break;
            case SMB_COM_LOGOFF_ANDX:
                com = "Logoff AndX";
                break;
            case SMB_COM_TREE_CON_ANDX:
                com = "Tree Connect AndX";
                break;
            case SMB_COM_RENAME:
                com = "Rename";
                break;
            default:
                com = "Unknown SMB command";
                break;
        }

        dce2_smb_coms[i] = (char *)DCE2_Alloc(strlen(com) + 1, DCE2_MEM_TYPE__INIT);
        strncpy(dce2_smb_coms[i], com, strlen(com));
        dce2_smb_coms[i][strlen(com)] = '\0';
#ifdef DCE2_EVENT_PRINT_DEBUG
        printf("%s\n", dce2_smb_coms[i]);
#endif
    }

    for (i = 0; i < (sizeof(dce2_pdu_types) / sizeof(char *)); i++)
    {
        char *type;

        switch (i)
        {
            case DCERPC_PDU_TYPE__REQUEST:
                type = "Request";
                break;
            case DCERPC_PDU_TYPE__PING:
                type = "Ping";
                break;
            case DCERPC_PDU_TYPE__RESPONSE:
                type = "Response";
                break;
            case DCERPC_PDU_TYPE__FAULT:
                type = "Fault";
                break;
            case DCERPC_PDU_TYPE__WORKING:
                type = "Working";
                break;
            case DCERPC_PDU_TYPE__NOCALL:
                type = "NoCall";
                break;
            case DCERPC_PDU_TYPE__REJECT:
                type = "Reject";
                break;
            case DCERPC_PDU_TYPE__ACK:
                type = "Ack";
                break;
            case DCERPC_PDU_TYPE__CL_CANCEL:
                type = "Cancel";
                break;
            case DCERPC_PDU_TYPE__FACK:
                type = "Fack";
                break;
            case DCERPC_PDU_TYPE__CANCEL_ACK:
                type = "Cancel Ack";
                break;
            case DCERPC_PDU_TYPE__BIND:
                type = "Bind";
                break;
            case DCERPC_PDU_TYPE__BIND_ACK:
                type = "Bind Ack";
                break;
            case DCERPC_PDU_TYPE__BIND_NACK:
                type = "Bind Nack";
                break;
            case DCERPC_PDU_TYPE__ALTER_CONTEXT:
                type = "Alter Context";
                break;
            case DCERPC_PDU_TYPE__ALTER_CONTEXT_RESP:
                type = "Alter Context Response";
                break;
            case DCERPC_PDU_TYPE__SHUTDOWN:
                type = "Shutdown";
                break;
            case DCERPC_PDU_TYPE__CO_CANCEL:
                type = "Cancel";
                break;
            case DCERPC_PDU_TYPE__ORPHANED:
                type = "Orphaned";
                break;
            default:
                type = "Unknown DCE/RPC type";
                break;
        }

        dce2_pdu_types[i] = (char *)DCE2_Alloc(strlen(type) + 1, DCE2_MEM_TYPE__INIT);
        strncpy(dce2_pdu_types[i], type, strlen(type));
        dce2_pdu_types[i][strlen(type)] = '\0';
#ifdef DCE2_EVENT_PRINT_DEBUG
        printf("%s\n", dce2_pdu_types[i]);
#endif
    }
}

/******************************************************************
 * Function: DCE2_Alert()
 *
 * Potentially generates an alert if an event is triggered.
 *
 * Arguments:
 *  DCE2_SsnData *
 *      This is the current session data structure being used
 *      when the event was triggered.  It is not a necessary
 *      argument if no session data is currently available, for
 *      example if the event is a memcap event - pass in NULL in
 *      this case.
 *  DCE2_Event
 *      The event type that was triggered.
 *  ...
 *      The arguments to the format for the event.
 *       
 * Returns: None
 *
 ******************************************************************/ 
void DCE2_Alert(DCE2_SsnData *sd, DCE2_Event e, ...)
{
    va_list ap;

    if (sd != NULL)
    {
        /* Only log a specific alert once per session */
        if (sd->alert_mask & (1 << e))
            return;

        /* set bit for this alert so we don't alert on again
         * in this session */
        sd->alert_mask |= (1 << e);
    }

    if (!DCE2_GcAlertOnEvent(dce2_events[e].eflag))
        return;

    va_start(ap, e);
    vsnprintf(dce2_event_bufs[e], sizeof(dce2_event_bufs[e]) - 1, dce2_events[e].format, ap);
    va_end(ap);

    /* Make sure it's NULL terminated */
    dce2_event_bufs[e][sizeof(dce2_event_bufs[e]) - 1] = '\0';

    DCE2_DEBUG_MSG(DCE2_DEBUG__ALL, "DCE2 Alert => %s\n", dce2_event_bufs[e]);

    _dpd.alertAdd(GENERATOR_DCE2, e, 1, 0, 3, dce2_event_bufs[e], 0);
}

/******************************************************************
 * Function: DCE2_EventsFree()
 *
 * Frees any global data that was dynamically allocated.
 *
 * Arguments: None
 *       
 * Returns: None
 *
 ******************************************************************/ 
void DCE2_EventsFree(void)
{
    unsigned int i;

    for (i = 0; i < DCE2_EVENT__MAX; i++)
    {
        if (dce2_events[i].format != NULL)
            DCE2_Free((void *)dce2_events[i].format, strlen(dce2_events[i].format) + 1, DCE2_MEM_TYPE__INIT);
    }

    for (i = 0; i < (sizeof(dce2_smb_coms) / sizeof(char *)); i++)
    {
        if (dce2_smb_coms[i] != NULL)
            DCE2_Free((void *)dce2_smb_coms[i], strlen(dce2_smb_coms[i]) + 1, DCE2_MEM_TYPE__INIT);
    }

    for (i = 0; i < (sizeof(dce2_pdu_types) / sizeof(char *)); i++)
    {
        if (dce2_pdu_types[i] != NULL)
            DCE2_Free((void *)dce2_pdu_types[i], strlen(dce2_pdu_types[i]) + 1, DCE2_MEM_TYPE__INIT);
    }
}