From 51b95e42aba8e02984e9293a9af624f9ba1bccb0 Mon Sep 17 00:00:00 2001 From: Yacin Nadji Date: Thu, 14 Apr 2022 16:02:25 -0400 Subject: [PATCH] remove opnums, just match on 5 --- scripts/main.zeek | 21 ++------------------- 1 file changed, 2 insertions(+), 19 deletions(-) diff --git a/scripts/main.zeek b/scripts/main.zeek index fb673aa..e5c10f5 100644 --- a/scripts/main.zeek +++ b/scripts/main.zeek @@ -16,24 +16,6 @@ export { }; } -global opnums: set[count] = { - 0, # : (EfsRpcOpenFileRaw, EfsRpcOpenFileRawResponse), - 4, # : (EfsRpcEncryptFileSrv, EfsRpcEncryptFileSrvResponse), - 5, # : (EfsRpcDecryptFileSrv, EfsRpcDecryptFileSrvResponse), - 6, # : (EfsRpcQueryUsersOnFile, EfsRpcQueryUsersOnFileResponse), - 7, # : (EfsRpcQueryRecoveryAgents, EfsRpcQueryRecoveryAgentsResponse), - 8, # : (EfsRpcRemoveUsersFromFile, EfsRpcRemoveUsersFromFileResponse), - 9, # : (EfsRpcAddUsersToFile, EfsRpcAddUsersToFileResponse), - 12, # : (EfsRpcFileKeyInfo, EfsRpcFileKeyInfoResponse), - 13, # : (EfsRpcDuplicateEncryptionInfoFile, EfsRpcDuplicateEncryptionInfoFileResponse), - 15, # : (EfsRpcAddUsersToFileEx, EfsRpcAddUsersToFileExResponse), - 16, # : (EfsRpcFileKeyInfoEx, EfsRpcFileKeyInfoExResponse), - 18, # : (EfsRpcGetEncryptedFileMetadata, EfsRpcGetEncryptedFileMetadataResponse), - 19, # : (EfsRpcSetEncryptedFileMetadata, EfsRpcSetEncryptedFileMetadataResponse), - 21, # : (EfsRpcEncryptFileExSrv, EfsRpcEncryptFileExSrvResponse), - 22 # : (EfsRpcQueryProtectors, EfsRpcQueryProtectorsResponse), -}; - # Malicious byte strings global big_endian = /..\x0c.\x00\x00\x00\x00/; global big_endian_specific = /\x05\x00\x0c\x03\x00\x00\x00\x00/; @@ -45,7 +27,8 @@ global little_endian_specific = /\x05\x00\x0c\x03\x10\x00\x00\x00/; event dce_rpc_request_stub(c: connection, fid: count, ctx_id: count, opnum: count, stub: string) { - if ( opnum in opnums ) { + # EfsRpcDecryptFileSrv + if ( opnum == 5 ) { local v: vector of string; local ip = cat(c$id$orig_h); v += "\\";