remove opnums, just match on 5

corelight · Apr 14, 2022 · 51b95e4 · 51b95e4
1 parent 35dff83
commit 51b95e4
Showing 1 changed file with 2 additions and 19 deletions.
diff --git a/scripts/main.zeek b/scripts/main.zeek
@@ -16,24 +16,6 @@ export {
 	};
 }
 
-global opnums: set[count] = {
-	0, #   : (EfsRpcOpenFileRaw, EfsRpcOpenFileRawResponse),
-	4, #   : (EfsRpcEncryptFileSrv, EfsRpcEncryptFileSrvResponse),
-	5, #   : (EfsRpcDecryptFileSrv, EfsRpcDecryptFileSrvResponse),
-	6, #   : (EfsRpcQueryUsersOnFile, EfsRpcQueryUsersOnFileResponse),
-	7, #   : (EfsRpcQueryRecoveryAgents, EfsRpcQueryRecoveryAgentsResponse),
-	8, #   : (EfsRpcRemoveUsersFromFile, EfsRpcRemoveUsersFromFileResponse),
-	9, #   : (EfsRpcAddUsersToFile, EfsRpcAddUsersToFileResponse),
-	12, #   : (EfsRpcFileKeyInfo, EfsRpcFileKeyInfoResponse),
-	13, #   : (EfsRpcDuplicateEncryptionInfoFile, EfsRpcDuplicateEncryptionInfoFileResponse),
-	15, #   : (EfsRpcAddUsersToFileEx, EfsRpcAddUsersToFileExResponse),
-	16, #   : (EfsRpcFileKeyInfoEx, EfsRpcFileKeyInfoExResponse),
-	18, #   : (EfsRpcGetEncryptedFileMetadata, EfsRpcGetEncryptedFileMetadataResponse),
-	19, #   : (EfsRpcSetEncryptedFileMetadata, EfsRpcSetEncryptedFileMetadataResponse),
-	21, #   : (EfsRpcEncryptFileExSrv, EfsRpcEncryptFileExSrvResponse),
-	22 #   : (EfsRpcQueryProtectors, EfsRpcQueryProtectorsResponse),
-};
-
 # Malicious byte strings
 global big_endian = /..\x0c.\x00\x00\x00\x00/;
 global big_endian_specific = /\x05\x00\x0c\x03\x00\x00\x00\x00/;
@@ -45,7 +27,8 @@ global little_endian_specific = /\x05\x00\x0c\x03\x10\x00\x00\x00/;
 event dce_rpc_request_stub(c: connection, fid: count, ctx_id: count,
     opnum: count, stub: string)
 {
-	if ( opnum in opnums ) {
+	# EfsRpcDecryptFileSrv
+	if ( opnum == 5 ) {
 		local v: vector of string;
 		local ip = cat(c$id$orig_h);
 		v += "\\";