Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 00:58:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Removed scheduling of rdp_tracker event in server response events

Browse source
This commit is contained in:
Josh Liburdi 2015-02-15 10:08:31 -08:00
parent fd655aa85d
commit 0648dafa54
1 changed files with 23 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

31
scripts/base/protocols/rdp/main.bro
View file

@ -23,7 +23,7 @@ export {
client_hostname: string &log &optional; client_hostname: string &log &optional;
## Product ID of the client machine. ## Product ID of the client machine.
client_product_id: string &log &optional; client_product_id: string &log &optional;
## GCC result for the connection. This value is extracted from the payload for native encryption. ## GCC result for the connection.
result: string &log &optional; result: string &log &optional;
## Encryption level of the connection. ## Encryption level of the connection.
encryption_level: string &log &optional; encryption_level: string &log &optional;
@ -38,6 +38,10 @@ export {
global log_rdp: event(rec: Info); global log_rdp: event(rec: Info);
} }
redef record connection += {
rdp: Info &optional;
};
const ports = { 3389/tcp }; const ports = { 3389/tcp };
redef likely_server_ports += { ports }; redef likely_server_ports += { ports };
@ -47,9 +51,15 @@ event bro_init() &priority=5
Analyzer::register_for_ports(Analyzer::ANALYZER_RDP, ports); Analyzer::register_for_ports(Analyzer::ANALYZER_RDP, ports);
} }
redef record connection += { function set_session(c: connection)
rdp: Info &optional; {
}; if ( ! c?$rdp )
{
c$rdp = [$ts=network_time(),$id=c$id,$uid=c$uid];
# Need to do this manually because the DPD framework does not seem to register the protocol (even though DPD is working)
add c$service["rdp"];
}
}
function rdp_done(c: connection, done: bool) function rdp_done(c: connection, done: bool)
{ {
@ -94,15 +104,6 @@ event rdp_tracker(c: connection)
schedule +5secs { rdp_tracker(c) }; schedule +5secs { rdp_tracker(c) };
} }
function set_session(c: connection)
{
if ( ! c?$rdp )
{
c$rdp = [$ts=network_time(),$id=c$id,$uid=c$uid];
add c$service["rdp"];
}
}
event connection_state_remove(c: connection) &priority=-5 event connection_state_remove(c: connection) &priority=-5
{ {
# Log the RDP connection if the connection is removed but the session has not been marked as done # Log the RDP connection if the connection is removed but the session has not been marked as done
@ -137,8 +138,6 @@ event rdp_result(c: connection, result: count) &priority=5
{ {
set_session(c); set_session(c);
c$rdp$result = results[result]; c$rdp$result = results[result];
schedule +5secs { rdp_tracker(c) };
} }
event rdp_server_security(c: connection, encryption_method: count, encryption_level: count) &priority=5 event rdp_server_security(c: connection, encryption_method: count, encryption_level: count) &priority=5
@ -146,6 +145,4 @@ event rdp_server_security(c: connection, encryption_method: count, encryption_le
set_session(c); set_session(c);
c$rdp$encryption_method = encryption_methods[encryption_method]; c$rdp$encryption_method = encryption_methods[encryption_method];
c$rdp$encryption_level = encryption_levels[encryption_level]; c$rdp$encryption_level = encryption_levels[encryption_level];
schedule +5secs { rdp_tracker(c) };
} }