diff --git a/scripts/base/protocols/rfb/main.bro b/scripts/base/protocols/rfb/main.bro index 60dcd17b03..50673d6514 100644 --- a/scripts/base/protocols/rfb/main.bro +++ b/scripts/base/protocols/rfb/main.bro @@ -1,4 +1,4 @@ -module Rfb; +module RFB; export { redef enum Log::ID += { LOG }; @@ -11,17 +11,27 @@ export { ## The connection's 4-tuple of endpoint addresses/ports. id: conn_id &log; + ## Major version of the client. client_major_version: string &log &optional; + ## Minor version of the client. client_minor_version: string &log &optional; + ## Major version of the server. server_major_version: string &log &optional; + ## Major version of the client. server_minor_version: string &log &optional; + ## Identifier of authentication method used. authentication_method: string &log &optional; + ## Whether or not authentication was succesful. auth: bool &log &optional; + ## Whether the client has an exclusive or a shared session. share_flag: bool &log &optional; + ## Name of the screen that is being shared. desktop_name: string &log &optional; + ## Width of the screen that is being shared. width: count &log &optional; + ## Height of the screen that is being shared. height: count &log &optional; done: bool &default=F; @@ -30,7 +40,8 @@ export { global log_rfb: event(rec: Info); } -function friendly_auth_name(auth: count): string { +function friendly_auth_name(auth: count): string + { switch (auth) { case 0: return "Invalid"; @@ -56,37 +67,40 @@ function friendly_auth_name(auth: count): string { return "Apple Remote Desktop"; } return "RealVNC"; - } - redef record connection += { rfb_state: Info &optional; }; event bro_init() &priority=5 { - Log::create_stream(Rfb::LOG, [$columns=Info, $ev=log_rfb, $path="rfb"]); + Log::create_stream(RFB::LOG, [$columns=Info, $ev=log_rfb, $path="rfb"]); } -function write_log(c:connection) { +function write_log(c:connection) + { local state = c$rfb_state; - if ( state?$done && state$done == T) { + if ( state?$done && state$done == T ) + { return; - } - Log::write(Rfb::LOG, c$rfb_state); - c$rfb_state$done = T; -} + } -function set_session(c: connection) { - if ( ! c?$rfb_state ) { + Log::write(RFB::LOG, c$rfb_state); + c$rfb_state$done = T; + } + +function set_session(c: connection) + { + if ( ! c?$rfb_state ) + { local info: Info; info$ts = network_time(); info$uid = c$uid; info$id = c$id; c$rfb_state = info; - } + } } event rfb_event(c: connection) @@ -121,13 +135,9 @@ event rfb_server_parameters(c: connection, name: string, width: count, height: c write_log(c); } -event rfb_auth_result(c: connection, result: count) +event rfb_auth_result(c: connection, result: bool) { - if ( result ==0 ) { - c$rfb_state$auth = T; - } else { - c$rfb_state$auth = F; - } + c$rfb_state$auth = !result; } event rfb_share_flag(c: connection, flag: bool) @@ -135,8 +145,10 @@ event rfb_share_flag(c: connection, flag: bool) c$rfb_state$share_flag = flag; } -event connection_state_remove(c: connection) { - if ( c?$rfb_state ) { - write_log(c); +event connection_state_remove(c: connection) + { + if ( c?$rfb_state ) + { + write_log(c); + } } -} diff --git a/src/analyzer/protocol/rfb/CMakeLists.txt b/src/analyzer/protocol/rfb/CMakeLists.txt index 8131ca7362..28523bfe2d 100644 --- a/src/analyzer/protocol/rfb/CMakeLists.txt +++ b/src/analyzer/protocol/rfb/CMakeLists.txt @@ -1,5 +1,3 @@ -# Generated by binpac_quickstart - include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) diff --git a/src/analyzer/protocol/rfb/Plugin.cc b/src/analyzer/protocol/rfb/Plugin.cc index 55704497e9..b3bed0f093 100644 --- a/src/analyzer/protocol/rfb/Plugin.cc +++ b/src/analyzer/protocol/rfb/Plugin.cc @@ -1,5 +1,3 @@ -// Generated by binpac_quickstart - #include "plugin/Plugin.h" #include "RFB.h" diff --git a/src/analyzer/protocol/rfb/RFB.cc b/src/analyzer/protocol/rfb/RFB.cc index c761d0bf0f..2669d6ed56 100644 --- a/src/analyzer/protocol/rfb/RFB.cc +++ b/src/analyzer/protocol/rfb/RFB.cc @@ -1,5 +1,3 @@ -// Generated by binpac_quickstart - #include "RFB.h" #include "analyzer/protocol/tcp/TCP_Reassembler.h" diff --git a/src/analyzer/protocol/rfb/RFB.h b/src/analyzer/protocol/rfb/RFB.h index cd6e7348d0..88a17eea5a 100644 --- a/src/analyzer/protocol/rfb/RFB.h +++ b/src/analyzer/protocol/rfb/RFB.h @@ -1,5 +1,3 @@ -// Generated by binpac_quickstart - #ifndef ANALYZER_PROTOCOL_RFB_RFB_H #define ANALYZER_PROTOCOL_RFB_RFB_H diff --git a/src/analyzer/protocol/rfb/events.bif b/src/analyzer/protocol/rfb/events.bif index a3cf5f7ad8..4a5bb40121 100644 --- a/src/analyzer/protocol/rfb/events.bif +++ b/src/analyzer/protocol/rfb/events.bif @@ -15,7 +15,7 @@ event rfb_authentication_type%(c: connection, authtype: count%); ## c: The connection record for the underlying transport-layer session/flow. ## ## result: whether or not authentication was succesful -event rfb_auth_result%(c: connection, result: count%); +event rfb_auth_result%(c: connection, result: bool%); ## Generated for RFB event share flag messages ## diff --git a/src/analyzer/protocol/rfb/rfb-analyzer.pac b/src/analyzer/protocol/rfb/rfb-analyzer.pac index d357ddee28..69e8e7a99a 100644 --- a/src/analyzer/protocol/rfb/rfb-analyzer.pac +++ b/src/analyzer/protocol/rfb/rfb-analyzer.pac @@ -7,14 +7,16 @@ refine flow RFB_Flow += { function proc_rfb_version(client: bool, major: bytestring, minor: bytestring) : bool %{ - if (client) { + if (client) + { BifEvent::generate_rfb_client_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor)); connection()->bro_analyzer()->ProtocolConfirmation(); - - } else { + } + else + { BifEvent::generate_rfb_server_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor)); - } + } return true; %} @@ -25,28 +27,28 @@ refine flow RFB_Flow += { %} function proc_security_types(msg: RFBSecurityTypes) : bool - %{ + %{ BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.sectype}); return true; - %} + %} function proc_security_types37(msg: RFBAuthTypeSelected) : bool - %{ + %{ BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.type}); return true; - %} + %} function proc_handle_server_params(msg:RFBServerInit) : bool - %{ + %{ BifEvent::generate_rfb_server_parameters(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.name}), ${msg.width}, ${msg.height}); return true; - %} + %} function proc_handle_security_result(result : uint32) : bool - %{ + %{ BifEvent::generate_rfb_auth_result(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result); return true; - %} + %} }; refine connection RFB_Conn += { @@ -70,113 +72,115 @@ refine connection RFB_Conn += { %} function get_state(client: bool) : int - %{ + %{ return state; - %} + %} function handle_banners(client: bool, msg: RFBProtocolVersion) : bool - %{ - if ( client ) { + %{ + if ( client ) + { // Set protocol version on client's version int minor_version = bytestring_to_int(${msg.minor},10); // Apple specifies minor version "889" but talks v37 - if ( minor_version >= 7 ) { + if ( minor_version >= 7 ) state = AWAITING_SERVER_AUTH_TYPES37; - } else { + else state = AWAITING_SERVER_AUTH_TYPES; } - } else { - if ( !client ) { + else state = AWAITING_CLIENT_BANNER; - } - } + return true; - %} + %} function handle_ard_challenge() : bool - %{ + %{ state = AWAITING_CLIENT_ARD_RESPONSE; return true; - %} + %} function handle_ard_response() : bool - %{ + %{ state = AWAITING_SERVER_AUTH_RESULT; return true; - %} + %} function handle_auth_request() : bool - %{ + %{ state = AWAITING_CLIENT_RESPONSE; return true; - %} + %} function handle_auth_response() : bool - %{ + %{ state = AWAITING_SERVER_AUTH_RESULT; return true; - %} + %} function handle_security_result(msg: RFBSecurityResult) : bool - %{ - if ( ${msg.result} == 0 ) //FIXME - { + %{ + if ( ${msg.result} == 0 ) + { state = AWAITING_CLIENT_SHARE_FLAG; - } + } return true; - %} + %} function handle_client_init(msg: RFBClientInit) : bool - %{ + %{ state = AWAITING_SERVER_PARAMS; - return true; - %} + %} function handle_server_init(msg: RFBServerInit) : bool - %{ + %{ state = RFB_MESSAGE; return true; - %} + %} function handle_security_types(msg: RFBSecurityTypes): bool - %{ - if ( msg->sectype() == 0 ) { // No auth + %{ + if ( msg->sectype() == 0 ) + { // No auth state = AWAITING_CLIENT_SHARE_FLAG; return true; - } - if ( msg->sectype() == 2 ) { //VNC + } + + if ( msg->sectype() == 2 ) + { //VNC state = AWAITING_SERVER_CHALLENGE; - } - return false; - %} + } + return true; + %} function handle_security_types37(msg: RFBSecurityTypes37): bool - %{ - if ( ${msg.count} == 0 ) { // No auth + %{ + if ( ${msg.count} == 0 ) + { // No auth state = AWAITING_CLIENT_SHARE_FLAG; return true; - } + } state = AWAITING_CLIENT_AUTH_TYPE_SELECTED37; return true; - %} + %} function handle_auth_type_selected(msg: RFBAuthTypeSelected): bool - %{ - if ( ${msg.type} == 30 ) { // Apple Remote Desktop - state = AWAITING_SERVER_ARD_CHALLENGE; - return true; - } + %{ + if ( ${msg.type} == 30 ) + { // Apple Remote Desktop + state = AWAITING_SERVER_ARD_CHALLENGE; + return true; + } - if ( ${msg.type} == 1 ) { // No Auth + if ( ${msg.type} == 1 ) state = AWAITING_SERVER_AUTH_RESULT; - } else { - // Assume VNC + else state = AWAITING_SERVER_CHALLENGE; - } + return true; - %} + %} %member{ uint8 state = AWAITING_SERVER_BANNER; diff --git a/src/analyzer/protocol/rfb/rfb-protocol.pac b/src/analyzer/protocol/rfb/rfb-protocol.pac index 0eb5542001..764046e747 100644 --- a/src/analyzer/protocol/rfb/rfb-protocol.pac +++ b/src/analyzer/protocol/rfb/rfb-protocol.pac @@ -16,8 +16,8 @@ enum states { }; type RFBProtocolVersion (client: bool) = record { - header : "RFB "; - major :bytestring &length=3; + header: "RFB "; + major: bytestring &length=3; dot: "."; minor: bytestring &length=3; pad: uint8; @@ -108,8 +108,8 @@ type RFB_PDU_request = record { AWAITING_CLIENT_SHARE_FLAG -> shareflag: RFBClientInit; AWAITING_CLIENT_AUTH_TYPE_SELECTED37 -> authtype: RFBAuthTypeSelected; AWAITING_CLIENT_ARD_RESPONSE -> ard_response: RFBSecurityARDResponse; - RFB_MESSAGE -> ignore: bytestring &restofdata; - default -> data: bytestring &restofdata; + RFB_MESSAGE -> ignore: bytestring &restofdata &transient; + default -> data: bytestring &restofdata &transient; } &requires(state); } &let { state: uint8 = $context.connection.get_state(true); @@ -124,8 +124,8 @@ type RFB_PDU_response = record { AWAITING_SERVER_AUTH_RESULT -> authresult : RFBSecurityResult; AWAITING_SERVER_ARD_CHALLENGE -> ard_challenge: RFBSecurityARDChallenge; AWAITING_SERVER_PARAMS -> serverinit: RFBServerInit; - RFB_MESSAGE -> ignore: bytestring &restofdata; - default -> data: bytestring &restofdata; + RFB_MESSAGE -> ignore: bytestring &restofdata &transient; + default -> data: bytestring &restofdata &transient; } &requires(rstate); } &let { rstate: uint8 = $context.connection.get_state(false); diff --git a/src/analyzer/protocol/rfb/rfb.pac b/src/analyzer/protocol/rfb/rfb.pac index 310ad38893..2e88f8e5bb 100644 --- a/src/analyzer/protocol/rfb/rfb.pac +++ b/src/analyzer/protocol/rfb/rfb.pac @@ -1,5 +1,3 @@ -# Generated by binpac_quickstart - # Analyzer for Parser for rfb (VNC) # - rfb-protocol.pac: describes the rfb protocol messages # - rfb-analyzer.pac: describes the rfb analyzer code @@ -26,17 +24,7 @@ connection RFB_Conn(bro_analyzer: BroAnalyzer) { # Now we define the flow: flow RFB_Flow(is_orig: bool) { - - # ## TODO: Determine if you want flowunit or datagram parsing: - - # Using flowunit will cause the anlayzer to buffer incremental input. - # This is needed for &oneline and &length. If you don't need this, you'll - # get better performance with datagram. - - # flowunit = RFB_PDU(is_orig) withcontext(connection, this); - datagram = RFB_PDU(is_orig) withcontext(connection, this); - }; %include rfb-analyzer.pac \ No newline at end of file