static int DCE2_ReloadVerifyPolicy( tSfPolicyUserContextId config, tSfPolicyId policyId, void* pData ) { DCE2_Config *swap_config = (DCE2_Config *)pData; DCE2_Config *current_config = (DCE2_Config *)sfPolicyUserDataGet(dce2_config, policyId); DCE2_ServerConfig *dconfig; //do any housekeeping before freeing DCE2_Config if ( swap_config == NULL || swap_config->gconfig->disabled ) return 0; if (!_dpd.isPreprocEnabled(PP_STREAM5)) { DCE2_Die("%s(%d) \"%s\" configuration: " "Stream5 must be enabled with TCP and UDP tracking.", *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); } dconfig = swap_config->dconfig; if (dconfig == NULL) DCE2_CreateDefaultServerConfig(swap_config, policyId); #ifdef TARGET_BASED if (!_dpd.isAdaptiveConfigured(policyId, 1)) #endif { DCE2_ScCheckTransports(swap_config); } #ifdef ENABLE_PAF DCE2_AddPortsToPaf(swap_config, policyId); #endif /* Register routing table memory */ if (swap_config->sconfigs != NULL) DCE2_RegMem(sfrt_usage(swap_config->sconfigs), DCE2_MEM_TYPE__RT); if (current_config == NULL) return 0; if (swap_config->gconfig->memcap != current_config->gconfig->memcap) { _dpd.errMsg("dcerpc2 reload: Changing the memcap requires a restart.\n"); DCE2_FreeConfigs(dce2_swap_config); dce2_swap_config = NULL; return -1; } return 0; }
/********************************************************************* * Function: DCE2_InitRpkts() * * Purpose: Allocate and initialize reassembly packets. * * Arguments: None * * Returns: None * *********************************************************************/ void DCE2_InitRpkts(void) { int i; dce2_pkt_stack = DCE2_CStackNew(DCE2_PKT_STACK__SIZE, NULL, DCE2_MEM_TYPE__INIT); if (dce2_pkt_stack == NULL) { DCE2_Die("%s(%d) Failed to allocate memory for packet stack.", __FILE__, __LINE__); } for ( i = 0; i < DCE2_RPKT_TYPE__MAX; i++ ) dce2_rpkt[i] = _dpd.encodeNew(); }
/******************************************************************** * Function: * * Purpose: * * Arguments: * * Returns: * ********************************************************************/ static inline void DCE2_CreateTransStr(char **trans_buf, DCE2_TransType ttype, char *trans_str) { if ((trans_buf == NULL) || (trans_str == NULL)) return; trans_buf[ttype] = (char *)DCE2_Alloc(strlen(trans_str) + 1, DCE2_MEM_TYPE__INIT); if (trans_buf[ttype] == NULL) { DCE2_Die("%s(%d) Failed to allocate memory for transport string", __FILE__, __LINE__); } snprintf(trans_buf[ttype], strlen(trans_str) + 1, "%s", trans_str); }
/******************************************************************** * Function: * * Purpose: * * Arguments: * * Returns: * ********************************************************************/ void * DCE2_Alloc(uint32_t size, DCE2_MemType mtype) { void *mem; if (DCE2_CheckMemcap(size, mtype) != DCE2_MEMCAP_OK) return NULL; mem = calloc(1, (size_t)size); if (mem == NULL) { DCE2_Die("%s(%d) Out of memory!", __FILE__, __LINE__); } DCE2_RegMem(size, mtype); return mem; }
/********************************************************************* * Function: DCE2_ReloadServer() * * Purpose: Creates a new DCE/RPC server configuration * * Arguments: snort.conf argument line for the DCE/RPC preprocessor. * * Returns: None * *********************************************************************/ static void DCE2_ReloadServer(char *args) { tSfPolicyId policy_id = _dpd.getParserPolicy(); DCE2_Config *pPolicyConfig = NULL; sfPolicyUserPolicySet (dce2_swap_config, policy_id); pPolicyConfig = (DCE2_Config *)sfPolicyUserDataGetCurrent(dce2_swap_config); if ((pPolicyConfig == NULL) || (pPolicyConfig->gconfig == NULL)) { DCE2_Die("%s(%d) \"%s\" configuration: \"%s\" must be configured " "before \"%s\".", *_dpd.config_file, *_dpd.config_line, DCE2_SNAME, DCE2_GNAME, DCE2_SNAME); } /* Parse configuration args */ DCE2_ServerConfigure(pPolicyConfig, args); }
static int DCE2_CheckConfigPolicy( tSfPolicyUserContextId config, tSfPolicyId policyId, void* pData ) { DCE2_Config *pPolicyConfig = (DCE2_Config *)pData; DCE2_ServerConfig *dconfig; if ( pPolicyConfig->gconfig->disabled ) return 0; _dpd.setParserPolicy(policyId); // config_file/config_line are not set here if (!_dpd.isPreprocEnabled(PP_STREAM5)) { DCE2_Die("Stream5 must be enabled with TCP and UDP tracking."); } dconfig = pPolicyConfig->dconfig; if (dconfig == NULL) DCE2_CreateDefaultServerConfig(pPolicyConfig, policyId); #ifdef TARGET_BASED if (!_dpd.isAdaptiveConfigured(policyId, 1)) #endif { DCE2_ScCheckTransports(pPolicyConfig); } #ifdef ENABLE_PAF DCE2_AddPortsToPaf(pPolicyConfig, policyId); #endif /* Register routing table memory */ if (pPolicyConfig->sconfigs != NULL) DCE2_RegMem(sfrt_usage(pPolicyConfig->sconfigs), DCE2_MEM_TYPE__RT); return 0; }
/********************************************************************* * Function: DCE2_ReloadGlobal() * * Purpose: Creates a new global DCE/RPC preprocessor config. * * Arguments: snort.conf argument line for the DCE/RPC preprocessor. * * Returns: None * *********************************************************************/ static void DCE2_ReloadGlobal(char *args) { tSfPolicyId policy_id = _dpd.getParserPolicy(); DCE2_Config *pDefaultPolicyConfig = NULL; DCE2_Config *pCurrentPolicyConfig = NULL; if ((_dpd.streamAPI == NULL) || (_dpd.streamAPI->version != STREAM_API_VERSION5)) { DCE2_Die("%s(%d) \"%s\" configuration: " "Stream5 must be enabled with TCP and UDP tracking.", *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); } if (dce2_swap_config == NULL) { //create a context dce2_swap_config = sfPolicyConfigCreate(); if (dce2_swap_config == NULL) { DCE2_Die("%s(%d) \"%s\" configuration: Could not allocate memory " "configuration.\n", *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); } _dpd.addPreprocReloadVerify(DCE2_ReloadVerify); } sfPolicyUserPolicySet(dce2_swap_config, policy_id); pDefaultPolicyConfig = (DCE2_Config *)sfPolicyUserDataGetDefault(dce2_swap_config); pCurrentPolicyConfig = (DCE2_Config *)sfPolicyUserDataGetCurrent(dce2_swap_config); if ((policy_id != 0) && (pDefaultPolicyConfig == NULL)) { DCE2_Die("%s(%d) \"%s\" configuration: Must configure default policy " "if other policies are to be configured.\n", *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); } /* Can only do one global configuration */ if (pCurrentPolicyConfig != NULL) { DCE2_Die("%s(%d) \"%s\" configuration: Only one global configuration can be specified.", *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); } DCE2_RegRuleOptions(); pCurrentPolicyConfig = (DCE2_Config *)DCE2_Alloc(sizeof(DCE2_Config), DCE2_MEM_TYPE__CONFIG); sfPolicyUserDataSetCurrent(dce2_swap_config, pCurrentPolicyConfig); /* Parse configuration args */ DCE2_GlobalConfigure(pCurrentPolicyConfig, args); if ( pCurrentPolicyConfig->gconfig->disabled ) return; _dpd.addPreproc(DCE2_Main, PRIORITY_APPLICATION, PP_DCE2, PROTO_BIT__TCP | PROTO_BIT__UDP); #ifdef TARGET_BASED _dpd.streamAPI->set_service_filter_status (dce2_proto_ids.dcerpc, PORT_MONITOR_SESSION, policy_id, 1); _dpd.streamAPI->set_service_filter_status (dce2_proto_ids.nbss, PORT_MONITOR_SESSION, policy_id, 1); #endif if (policy_id != 0) pCurrentPolicyConfig->gconfig->memcap = pDefaultPolicyConfig->gconfig->memcap; }
/********************************************************************* * Function: DCE2_InitGlobal() * * Purpose: Initializes the global DCE/RPC preprocessor config. * * Arguments: snort.conf argument line for the DCE/RPC preprocessor. * * Returns: None * *********************************************************************/ static void DCE2_InitGlobal(char *args) { tSfPolicyId policy_id = _dpd.getParserPolicy(); DCE2_Config *pDefaultPolicyConfig = NULL; DCE2_Config *pCurrentPolicyConfig = NULL; if ((_dpd.streamAPI == NULL) || (_dpd.streamAPI->version != STREAM_API_VERSION5)) { DCE2_Die("%s(%d) \"%s\" configuration: " "Stream5 must be enabled with TCP and UDP tracking.", *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); } if (dce2_config == NULL) { dce2_config = sfPolicyConfigCreate(); if (dce2_config == NULL) { DCE2_Die("%s(%d) \"%s\" configuration: Could not allocate memory " "configuration.\n", *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); } DCE2_MemInit(); DCE2_StatsInit(); DCE2_EventsInit(); /* Initialize reassembly packet */ DCE2_InitRpkts(); DCE2_SmbInitGlobals(); _dpd.addPreprocConfCheck(DCE2_CheckConfig); _dpd.registerPreprocStats(DCE2_GNAME, DCE2_PrintStats); _dpd.addPreprocReset(DCE2_Reset, NULL, PRIORITY_LAST, PP_DCE2); _dpd.addPreprocResetStats(DCE2_ResetStats, NULL, PRIORITY_LAST, PP_DCE2); _dpd.addPreprocExit(DCE2_CleanExit, NULL, PRIORITY_LAST, PP_DCE2); #ifdef PERF_PROFILING _dpd.addPreprocProfileFunc(DCE2_PSTAT__MAIN, &dce2_pstat_main, 0, _dpd.totalPerfStats); _dpd.addPreprocProfileFunc(DCE2_PSTAT__SESSION, &dce2_pstat_session, 1, &dce2_pstat_main); _dpd.addPreprocProfileFunc(DCE2_PSTAT__NEW_SESSION, &dce2_pstat_new_session, 2, &dce2_pstat_session); _dpd.addPreprocProfileFunc(DCE2_PSTAT__SSN_STATE, &dce2_pstat_session_state, 2, &dce2_pstat_session); _dpd.addPreprocProfileFunc(DCE2_PSTAT__LOG, &dce2_pstat_log, 1, &dce2_pstat_main); _dpd.addPreprocProfileFunc(DCE2_PSTAT__DETECT, &dce2_pstat_detect, 1, &dce2_pstat_main); _dpd.addPreprocProfileFunc(DCE2_PSTAT__SMB_SEG, &dce2_pstat_smb_seg, 1, &dce2_pstat_main); _dpd.addPreprocProfileFunc(DCE2_PSTAT__SMB_REQ, &dce2_pstat_smb_req, 1, &dce2_pstat_main); _dpd.addPreprocProfileFunc(DCE2_PSTAT__SMB_UID, &dce2_pstat_smb_uid, 1, &dce2_pstat_main); _dpd.addPreprocProfileFunc(DCE2_PSTAT__SMB_TID, &dce2_pstat_smb_tid, 1, &dce2_pstat_main); _dpd.addPreprocProfileFunc(DCE2_PSTAT__SMB_FID, &dce2_pstat_smb_fid, 1, &dce2_pstat_main); _dpd.addPreprocProfileFunc(DCE2_PSTAT__SMB_FP, &dce2_pstat_smb_fingerprint, 1, &dce2_pstat_main); _dpd.addPreprocProfileFunc(DCE2_PSTAT__SMB_NEG, &dce2_pstat_smb_negotiate, 1, &dce2_pstat_main); _dpd.addPreprocProfileFunc(DCE2_PSTAT__CO_SEG, &dce2_pstat_co_seg, 1, &dce2_pstat_main); _dpd.addPreprocProfileFunc(DCE2_PSTAT__CO_FRAG, &dce2_pstat_co_frag, 1, &dce2_pstat_main); _dpd.addPreprocProfileFunc(DCE2_PSTAT__CO_REASS, &dce2_pstat_co_reass, 1, &dce2_pstat_main); _dpd.addPreprocProfileFunc(DCE2_PSTAT__CO_CTX, &dce2_pstat_co_ctx, 1, &dce2_pstat_main); _dpd.addPreprocProfileFunc(DCE2_PSTAT__CL_ACTS, &dce2_pstat_cl_acts, 1, &dce2_pstat_main); _dpd.addPreprocProfileFunc(DCE2_PSTAT__CL_FRAG, &dce2_pstat_cl_frag, 1, &dce2_pstat_main); _dpd.addPreprocProfileFunc(DCE2_PSTAT__CL_REASS, &dce2_pstat_cl_reass, 1, &dce2_pstat_main); #endif #ifdef TARGET_BASED dce2_proto_ids.dcerpc = _dpd.findProtocolReference(DCE2_PROTO_REF_STR__DCERPC); if (dce2_proto_ids.dcerpc == SFTARGET_UNKNOWN_PROTOCOL) dce2_proto_ids.dcerpc = _dpd.addProtocolReference(DCE2_PROTO_REF_STR__DCERPC); /* smb and netbios-ssn refer to the same thing */ dce2_proto_ids.nbss = _dpd.findProtocolReference(DCE2_PROTO_REF_STR__NBSS); if (dce2_proto_ids.nbss == SFTARGET_UNKNOWN_PROTOCOL) dce2_proto_ids.nbss = _dpd.addProtocolReference(DCE2_PROTO_REF_STR__NBSS); #endif } sfPolicyUserPolicySet(dce2_config, policy_id); pDefaultPolicyConfig = (DCE2_Config *)sfPolicyUserDataGetDefault(dce2_config); pCurrentPolicyConfig = (DCE2_Config *)sfPolicyUserDataGetCurrent(dce2_config); if ((policy_id != 0) && (pDefaultPolicyConfig == NULL)) { DCE2_Die("%s(%d) \"%s\" configuration: Must configure default policy " "if other policies are to be configured.\n", *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); } /* Can only do one global configuration */ if (pCurrentPolicyConfig != NULL) { DCE2_Die("%s(%d) \"%s\" configuration: Only one global configuration can be specified.", *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); } DCE2_RegRuleOptions(); pCurrentPolicyConfig = (DCE2_Config *)DCE2_Alloc(sizeof(DCE2_Config), DCE2_MEM_TYPE__CONFIG); sfPolicyUserDataSetCurrent(dce2_config, pCurrentPolicyConfig); /* Parse configuration args */ DCE2_GlobalConfigure(pCurrentPolicyConfig, args); if (policy_id != 0) pCurrentPolicyConfig->gconfig->memcap = pDefaultPolicyConfig->gconfig->memcap; if ( pCurrentPolicyConfig->gconfig->disabled ) return; /* Register callbacks */ _dpd.addPreproc(DCE2_Main, PRIORITY_APPLICATION, PP_DCE2, PROTO_BIT__TCP | PROTO_BIT__UDP); #ifdef TARGET_BASED _dpd.streamAPI->set_service_filter_status (dce2_proto_ids.dcerpc, PORT_MONITOR_SESSION, policy_id, 1); _dpd.streamAPI->set_service_filter_status (dce2_proto_ids.nbss, PORT_MONITOR_SESSION, policy_id, 1); #endif }
/******************************************************************** * Function: * * Purpose: * * Arguments: * * Returns: * ********************************************************************/ void DCE2_StatsInit(void) { memset(&dce2_stats, 0, sizeof(dce2_stats)); if (dce2_trans_strs == NULL) { DCE2_TransType ttype; dce2_trans_strs = (char **)DCE2_Alloc((DCE2_TRANS_TYPE__MAX * sizeof(char *)), DCE2_MEM_TYPE__INIT); if (dce2_trans_strs == NULL) { DCE2_Die("%s(%d) Failed to allocate memory for transport string " "array", __FILE__, __LINE__); } for (ttype = DCE2_TRANS_TYPE__NONE; ttype < DCE2_TRANS_TYPE__MAX; ttype++) { switch (ttype) { case DCE2_TRANS_TYPE__NONE: break; case DCE2_TRANS_TYPE__SMB: { char *str = "SMB"; DCE2_CreateTransStr(dce2_trans_strs, ttype, str); } break; case DCE2_TRANS_TYPE__TCP: { char *str = "TCP"; DCE2_CreateTransStr(dce2_trans_strs, ttype, str); } break; case DCE2_TRANS_TYPE__UDP: { char *str = "UDP"; DCE2_CreateTransStr(dce2_trans_strs, ttype, str); } break; case DCE2_TRANS_TYPE__HTTP_PROXY: { char *str = "HTTP Proxy"; DCE2_CreateTransStr(dce2_trans_strs, ttype, str); } break; case DCE2_TRANS_TYPE__HTTP_SERVER: { char *str = "HTTP Server"; DCE2_CreateTransStr(dce2_trans_strs, ttype, str); } break; default: DCE2_Die("%s(%d) Invalid transport type for allocing " "transport strings: %d", __FILE__, __LINE__, ttype); break; } } } }
/****************************************************************** * Function: DCE2_EventsInit() * * Initializes global data. * * Arguments: None * * Returns: None * ******************************************************************/ void DCE2_EventsInit(void) { DCE2_Event event; char gname[100]; unsigned int i; static const DCE2_EventNode events[DCE2_EVENT__MAX] = { { DCE2_EVENT_FLAG__NONE, DCE2_EVENT__NO_EVENT, "Have to use this because can't have an event sid of zero" }, { DCE2_EVENT_FLAG__MEMCAP, DCE2_EVENT__MEMCAP, "Memory cap exceeded" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BAD_NBSS_TYPE, "SMB - Bad NetBIOS Session Service session type" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BAD_TYPE, "SMB - Bad SMB message type" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BAD_ID, "SMB - Bad SMB Id (not \\xffSMB for SMB1 or not \\xfeSMB for SMB2)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BAD_WCT, "SMB - Bad word count or structure size: %u" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BAD_BCC, "SMB - Bad byte count: %u" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BAD_FORMAT, "SMB - Bad format type: %u" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BAD_OFF, "SMB - Bad offset: %p not between %p and %p" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_TDCNT_ZERO, "SMB - Zero total data count" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_NB_LT_SMBHDR, "SMB - NetBIOS data length (%u) less than SMB header length (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_NB_LT_COM, "SMB - Remaining NetBIOS data length (%u) less than command length (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_NB_LT_BCC, "SMB - Remaining NetBIOS data length (%u) less than command byte count (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_NB_LT_DSIZE, "SMB - Remaining NetBIOS data length (%u) less than command data size (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_TDCNT_LT_DSIZE, "SMB - Remaining total data count (%u) less than this command data size (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_DSENT_GT_TDCNT, "SMB - Total data sent ("STDu64") greater than command total data expected (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_BCC_LT_DSIZE, "SMB - Byte count (%u) less than command data size ("STDu64")" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_INVALID_DSIZE, "SMB - Invalid command data size (%u) for byte count (%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_EXCESSIVE_TREE_CONNECTS, "SMB - Excessive Tree Connect requests (>%u) with pending Tree Connect responses" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_EXCESSIVE_READS, "SMB - Excessive Read requests (>%u) with pending Read responses" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_EXCESSIVE_CHAINING, "SMB - Excessive command chaining (>%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_MULT_CHAIN_SS, "SMB - Multiple chained login requests" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_MULT_CHAIN_TC, "SMB - Multiple chained tree connect requests" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_CHAIN_SS_LOGOFF, "SMB - Chained/Compounded login followed by logoff" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_CHAIN_TC_TDIS, "SMB - Chained/Compounded tree connect followed by tree disconnect" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_CHAIN_OPEN_CLOSE, "SMB - Chained/Compounded open pipe followed by close pipe" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_INVALID_SHARE, "SMB - Invalid share access: %s" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_BAD_MAJ_VERSION, "Connection-oriented DCE/RPC - Invalid major version: %u" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_BAD_MIN_VERSION, "Connection-oriented DCE/RPC - Invalid minor version: %u" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_BAD_PDU_TYPE, "Connection-oriented DCE/RPC - Invalid pdu type: 0x%02x" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_FLEN_LT_HDR, "Connection-oriented DCE/RPC - Fragment length (%u) less than header size (%u)" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_FLEN_LT_SIZE, "Connection-oriented DCE/RPC - %s: Remaining fragment length (%u) less than size needed (%u)" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_ZERO_CTX_ITEMS, "Connection-oriented DCE/RPC - %s: No context items specified" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_ZERO_TSYNS, "Connection-oriented DCE/RPC - %s: No transfer syntaxes specified" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_FRAG_LT_MAX_XMIT_FRAG, "Connection-oriented DCE/RPC - %s: Fragment length on non-last fragment (%u) less than " "maximum negotiated fragment transmit size for client (%u)" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_FRAG_GT_MAX_XMIT_FRAG, "Connection-oriented DCE/RPC - %s: Fragment length (%u) greater than " "maximum negotiated fragment transmit size (%u)" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_ALTER_CHANGE_BYTE_ORDER, "Connection-oriented DCE/RPC - Alter Context byte order different from Bind" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_FRAG_DIFF_CALL_ID, "Connection-oriented DCE/RPC - Call id (%u) of non first/last fragment different " "from call id established for fragmented request (%u)" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_FRAG_DIFF_OPNUM, "Connection-oriented DCE/RPC - Opnum (%u) of non first/last fragment different " "from opnum established for fragmented request (%u)" }, { DCE2_EVENT_FLAG__CO, DCE2_EVENT__CO_FRAG_DIFF_CTX_ID, "Connection-oriented DCE/RPC - Context id (%u) of non first/last fragment different " "from context id established for fragmented request (%u)" }, { DCE2_EVENT_FLAG__CL, DCE2_EVENT__CL_BAD_MAJ_VERSION, "Connection-less DCE/RPC - Invalid major version: %u" }, { DCE2_EVENT_FLAG__CL, DCE2_EVENT__CL_BAD_PDU_TYPE, "Connection-less DCE/RPC - Invalid pdu type: 0x%02x" }, { DCE2_EVENT_FLAG__CL, DCE2_EVENT__CL_DATA_LT_HDR, "Connection-less DCE/RPC - Data length (%u) less than header size (%u)" }, { DCE2_EVENT_FLAG__CL, DCE2_EVENT__CL_BAD_SEQ_NUM, "Connection-less DCE/RPC - %s: Bad sequence number" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_V1, "SMB - Invalid SMB version 1 seen" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_V2, "SMB - Invalid SMB version 2 seen" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_INVALID_BINDING, "SMB - Invalid user, tree connect, file binding" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB2_EXCESSIVE_COMPOUNDING, "SMB - Excessive command compounding (>%u)" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_DCNT_ZERO, "SMB - Zero data count" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_DCNT_MISMATCH, "SMB - Data count mismatch %u in command / %u in format" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_MAX_REQS_EXCEEDED, "SMB - Maximum number of outstanding requests exceeded: %u" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_REQS_SAME_MID, "SMB - Outstanding requests with same MID", }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_DEPR_DIALECT_NEGOTIATED, "SMB - Deprecated dialect negotiated" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_DEPR_COMMAND_USED, "SMB - Deprecated command used: %s" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_UNUSUAL_COMMAND_USED, "SMB - Unusual command used: %s" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_INVALID_SETUP_COUNT, "SMB - Invalid setup count for %s/%s command: %u" }, { DCE2_EVENT_FLAG__SMB, DCE2_EVENT__SMB_MULTIPLE_NEGOTIATIONS, "SMB - Client attempted multiple dialect negotiations on session" } }; snprintf(gname, sizeof(gname) - 1, "(%s) ", DCE2_GNAME); gname[sizeof(gname) - 1] = '\0'; for (event = DCE2_EVENT__NO_EVENT; event < DCE2_EVENT__MAX; event++) { int size = strlen(gname) + strlen(events[event].format) + 1; /* This is a check to make sure all of the events in the array are * in the same order as the enum, so we index the right thing when * alerting - DO NOT REMOVE THIS CHECK */ if (events[event].event != event) { DCE2_Die("%s(%d) Events are not in the right order.", __FILE__, __LINE__); } dce2_events[event].format = (char *)DCE2_Alloc(size, DCE2_MEM_TYPE__INIT); if (dce2_events[event].format == NULL) { DCE2_Die("%s(%d) Could not allocate memory for events array.", __FILE__, __LINE__); } dce2_events[event].format[size - 1] = '\0'; snprintf(dce2_events[event].format, size, "%s%s", gname, events[event].format); if (dce2_events[event].format[size - 1] != '\0') { DCE2_Die("%s(%d) Event string truncated.", __FILE__, __LINE__); } dce2_events[event].eflag = events[event].eflag; dce2_events[event].event = events[event].event; } for (i = 0; i < (sizeof(dce2_pdu_types) / sizeof(char *)); i++) { char *type; switch (i) { case DCERPC_PDU_TYPE__REQUEST: type = "Request"; break; case DCERPC_PDU_TYPE__PING: type = "Ping"; break; case DCERPC_PDU_TYPE__RESPONSE: type = "Response"; break; case DCERPC_PDU_TYPE__FAULT: type = "Fault"; break; case DCERPC_PDU_TYPE__WORKING: type = "Working"; break; case DCERPC_PDU_TYPE__NOCALL: type = "NoCall"; break; case DCERPC_PDU_TYPE__REJECT: type = "Reject"; break; case DCERPC_PDU_TYPE__ACK: type = "Ack"; break; case DCERPC_PDU_TYPE__CL_CANCEL: type = "Cancel"; break; case DCERPC_PDU_TYPE__FACK: type = "Fack"; break; case DCERPC_PDU_TYPE__CANCEL_ACK: type = "Cancel Ack"; break; case DCERPC_PDU_TYPE__BIND: type = "Bind"; break; case DCERPC_PDU_TYPE__BIND_ACK: type = "Bind Ack"; break; case DCERPC_PDU_TYPE__BIND_NACK: type = "Bind Nack"; break; case DCERPC_PDU_TYPE__ALTER_CONTEXT: type = "Alter Context"; break; case DCERPC_PDU_TYPE__ALTER_CONTEXT_RESP: type = "Alter Context Response"; break; case DCERPC_PDU_TYPE__AUTH3: type = "Auth3"; break; case DCERPC_PDU_TYPE__SHUTDOWN: type = "Shutdown"; break; case DCERPC_PDU_TYPE__CO_CANCEL: type = "Cancel"; break; case DCERPC_PDU_TYPE__ORPHANED: type = "Orphaned"; break; case DCERPC_PDU_TYPE__MICROSOFT_PROPRIETARY_OUTLOOK2003_RPC_OVER_HTTP: type = "Microsoft Exchange/Outlook 2003"; break; default: type = "Unknown DCE/RPC type"; break; } dce2_pdu_types[i] = (char *)DCE2_Alloc(strlen(type) + 1, DCE2_MEM_TYPE__INIT); strncpy(dce2_pdu_types[i], type, strlen(type)); dce2_pdu_types[i][strlen(type)] = '\0'; #ifdef DCE2_EVENT_PRINT_DEBUG printf("%s\n", dce2_pdu_types[i]); #endif } }