Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Implement protocol confirmation

Browse source 
Do not set the service field in the bro script but
use the protocol confirmation paradigm.

Protocol is considered confirmed if both a
succesful client and server banner have been
parsed.
This commit is contained in:
Martin van Hensbergen 2016-04-11 11:28:22 +02:00
parent 849875e8be
commit 04dd65cbaf
2 changed files with 3 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

1
scripts/base/protocols/rfb/main.bro
View file

@ -106,7 +106,6 @@ event rfb_server_version(c: connection, major_version: string, minor_version: st
set_session(c); set_session(c);
c$rfb_state$server_major_version = major_version; c$rfb_state$server_major_version = major_version;
c$rfb_state$server_minor_version = minor_version; c$rfb_state$server_minor_version = minor_version;
add c$service["rfb"];
} }
event rfb_authentication_type(c: connection, authtype: count) event rfb_authentication_type(c: connection, authtype: count)

11
src/analyzer/protocol/rfb/rfb-analyzer.pac
View file

@ -1,5 +1,3 @@
# Generated by binpac_quickstart
refine flow RFB_Flow += { refine flow RFB_Flow += {
function proc_rfb_message(msg: RFB_PDU): bool function proc_rfb_message(msg: RFB_PDU): bool
%{ %{
@ -7,16 +5,13 @@ refine flow RFB_Flow += {
return true; return true;
%} %}
function proc_rfb_client_version(major: bytestring, minor: bytestring) : bool
%{
BifEvent::generate_rfb_client_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor));
return true;
%}
function proc_rfb_version(client: bool, major: bytestring, minor: bytestring) : bool function proc_rfb_version(client: bool, major: bytestring, minor: bytestring) : bool
%{ %{
if (client) { if (client) {
BifEvent::generate_rfb_client_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor)); BifEvent::generate_rfb_client_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor));
connection()->bro_analyzer()->ProtocolConfirmation();
} else { } else {
BifEvent::generate_rfb_server_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor)); BifEvent::generate_rfb_server_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor));
} }