<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:106394446;
mso-list-template-ids:1922758308;}
@list l0:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:311642822;
mso-list-type:hybrid;
mso-list-template-ids:-538125162 -851547768 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-text:"\(%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2
{mso-list-id:694962086;
mso-list-template-ids:-705240490;}
@list l2:level1
{mso-level-start-at:3;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3
{mso-list-id:1289313782;
mso-list-template-ids:-85441156;}
@list l3:level1
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level3
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level4
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level6
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level7
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level9
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4
{mso-list-id:1458832614;
mso-list-template-ids:464710076;}
@list l4:level1
{mso-level-start-at:2;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Seth,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0in;margin-bottom:.0001pt">>> If you'd be interested in discussing that, I think that could be a huge<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt">>> addition to Bro (hundreds of new events!).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Yes, I am interested in parsing IDL files, but I plan to do so very selectively. For example, for the At service, I don’t care about all four opnums it exposes... I just care about NetrJobAdd (which indeed is how you designed, too), and
I want to log the command and the remote host to which the command was sent. Similarly, for the Server Service, I don’t care about all fifty opnums that it exposes... I just care about a handful of them, and I want to log key pieces of information associated
with the function call.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">At this point, I have my eye on a few, maybe up to a dozen, specific RPC UUIDs. What is it you would be looking for? Would you want parsers for every opnum in the IDL file? Or just select functions?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">>> ...I'd prefer to see parsing done in the core. Architecturally we try to<o:p></o:p></p>
<p class="MsoNormal">>> avoid passing unparsed data to Bro script land...<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thank you. That is very important guidance, exactly what I was looking for. It gives me a definitive starting point.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">>> The At service parsing file is still there... but I think there was some slight<o:p></o:p></p>
<p class="MsoNormal">>> architectural change that needed to happen before I could pass data to it.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">An architectural change? The sound of that makes me worry. I see a couple of approaches:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo5">In ‘dce_rpc-analyzer.pac’ we could customize the function ‘process_dce_rpc_request’. We could have it lookup certain UUIDs, such as At-svc, and it if matches, then call InstantiateAnalyzer
and DeliverStream, just like you do for RPC authentication with GSSAPI and NTLM. Pro: Could be implemented easily and quickly. Con: Need a new analyzer for each RPC UUID.<o:p></o:p></li></ol>
<p class="MsoListParagraph"><o:p> </o:p></p>
<ol style="margin-top:0in" start="2" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo5">In ‘dce_rpc-protocol.pac’ we could customize the record ‘DCE_RPC_Request’ to change the ‘stub’ data element to be a big case statement switching on the UUID, akin to ‘SMB_PDU’ within
the SMB analyzer, where the ‘message’ data element switches based on the SMB command. Pro: This is probably the preferred long-term solution. Con: It may be a little more challenging for me to code it correctly, take me a lot longer to implement.<o:p></o:p></li></ol>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Am I close to the right answer for sending data to the at-svc parser?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Mark<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Seth Hall [mailto:seth@corelight.com] <br>
<b>Sent:</b> Wednesday, January 31, 2018 11:05 AM<br>
<b>To:</b> Fernandez, Mark I <mfernandez@mitre.org><br>
<b>Cc:</b> bro-dev@bro.org<br>
<b>Subject:</b> Re: [Bro-Dev] Bro DCE-RPC Analyzer Questions<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p><span style="font-family:"Arial",sans-serif">The original idea was to get extensive parsing in place for DCE-RPC messages by parsing the IDL files for those services. Someone in the community had hoped to take it on, but hasn't had time yet to complete it.
If you'd be interested in discussing that, I think that could be a huge addition to Bro (hundreds of new events!).<o:p></o:p></span></p>
<p><span style="font-family:"Arial",sans-serif">The At service parsing file is still there because I didn't want to lose track of it but I think there was some slight architectural change that needed to happen before I could pass data to it. I don't think that
data is even going to that parser, it's not just that there aren't events. I'd have to refer back to the code to see what exactly is wrong though.<o:p></o:p></span></p>
<p><span style="font-family:"Arial",sans-serif">As for an approach to this problem right now, I'd prefer to see parsing done in the core. Architecturally we try to avoid passing unparsed data to Bro script land because of performance concerns and we generally
don't have the intrinsic tools to be able to do parsing well in Bro scripts.<o:p></o:p></span></p>
<p><span style="font-family:"Arial",sans-serif">.Seth<o:p></o:p></span></p>
<p><span style="font-family:"Arial",sans-serif">On 25 Jan 2018, at 12:28, Fernandez, Mark I wrote:<o:p></o:p></span></p>
</div>
<blockquote style="border:none;border-left:solid #777777 1.5pt;padding:0in 0in 0in 4.0pt;margin-left:0in;margin-right:0in;margin-bottom:3.75pt">
<div id="E930F140-FAD2-4B59-A86F-DD2464F731C8">
<div>
<p style="margin:0in;margin-bottom:.0001pt"><span style="color:#777777">Bro-Dev Group,<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="color:#777777"> <o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="color:#777777">I am doing a little research into using Bro to log and analyze specific Microsoft DCE-RPC interfaces and methods. I notice that the Bro events for ‘dce_rpc_request’ and ‘dce_rpc_response’
provide the length of the RCP data stub (aka ‘stub_len’). I found reference that these events previously provided a byte string containing the stub data itself, but at some point it was reduced to just the stub_len instead. I have a few questions that I
hope you could answer:<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="color:#777777"> <o:p></o:p></span></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoNormal" style="color:#777777;mso-list:l0 level1 lfo1">What was the reason you decided to remove the stub data from the events and pass only the stub length?<o:p></o:p></li></ol>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt">
<span style="color:#777777"> <o:p></o:p></span></p>
<ol style="margin-top:0in" start="2" type="1">
<li class="MsoNormal" style="color:#777777;mso-list:l4 level1 lfo2">On github, I see a BinPAC file for the RPC ‘At’ service (bro/src/analyzerprotocol/dce-rpc/endpoint-atsvc.pac), but there are no events generated by it. I think this would be very useful for
my project. What is the reason that you have the analyzer, but no events for scriptland?<o:p></o:p></li></ol>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt">
<span style="color:#777777"> <o:p></o:p></span></p>
<ol style="margin-top:0in" start="3" type="1">
<li class="MsoNormal" style="color:#777777;mso-list:l2 level1 lfo3">I have a use case, for a very few, limited number of RPC interfaces/methods, where I need to receive the stub data in scriptland for logging and analysis. How do you recommend I approach this
scenario? I see a couple options:<o:p></o:p></li></ol>
<p class="MsoNormal" style="margin-left:1.25in;text-indent:-.25in;mso-list:l3 level1 lfo4">
<![if !supportLists]><span style="color:#777777"><span style="mso-list:Ignore">a.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#777777">I could customize the DCE-RPC analyzer to pass the sub data for *<b>ALL</b>* ‘dce_rpc_request’ and ‘dce_rpc_response’ events; or<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.25in;text-indent:-.25in;mso-list:l3 level1 lfo4">
<![if !supportLists]><span style="color:#777777"><span style="mso-list:Ignore">b.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#777777">I could customize the DCE-RPC analyzer to create new events specifically for the interfaces/methods (aka UUIDs/OpNums) that I care about.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.25in;text-indent:-.25in;mso-list:l3 level1 lfo4">
<![if !supportLists]><span style="color:#777777"><span style="mso-list:Ignore">c.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#777777">Other ideas?<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="color:#777777"> <o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="color:#777777">I think both (a) and (b) will achieve the desired result; but there are trade-offs, pros and cons. I wonder which option would have a more negative impact on Bro performance? I imagine
the reason you stopped passing stub data for all events was due to the performance hit, so I want to approach this in the best way possible. I appreciate your feedback.<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="color:#777777"> <o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="color:#777777">Cheers!<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="color:#777777">Mark<o:p></o:p></span></p>
</div>
</div>
</blockquote>
<div>
<blockquote style="border:none;border-left:solid #777777 1.5pt;padding:0in 0in 0in 4.0pt;margin-left:0in;margin-right:0in;margin-bottom:3.75pt">
<p><span style="font-family:"Arial",sans-serif;color:#777777">_______________________________________________<br>
bro-dev mailing list<br>
<a href="mailto:bro-dev@bro.org">bro-dev@bro.org</a><br>
<a href="http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev"><span style="color:#777777">http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev</span></a><o:p></o:p></span></p>
</blockquote>
<p><span style="font-family:"Arial",sans-serif">--<br>
Seth Hall * Corelight, Inc * <a href="http://www.corelight.com">www.corelight.com</a><o:p></o:p></span></p>
</div>
</div>
</div>
</body>
</html>