A few more changes to handling encryption in RDP.

2025-10-15 21:18:20 +00:00 · 2015-03-05 13:38:54 -05:00 · 2015-03-05 13:38:54 -05:00 · 276e072e6e
commit 276e072e6e
parent b92a68e2bd
6 changed files with 54 additions and 31 deletions
--- a/src/analyzer/protocol/rdp/events.bif
+++ b/src/analyzer/protocol/rdp/events.bif
@ -9,8 +9,8 @@ event rdp_connect_request%(c: connection, cookie: string%);
 ##
 ## c: The connection record for the underlying transport-layer session/flow.
 ##
-## selected_security_protocol: The security protocol selected by the server.
-event rdp_negotiation_response%(c: connection, selected_security_protocol: count%);
+## security_protocol: The security protocol selected by the server.
+event rdp_negotiation_response%(c: connection, security_protocol: count%);

 ## Generated for RDP Negotiation Failure messages.
 ##
@ -51,4 +51,11 @@ event rdp_server_security%(c: connection, encryption_method: count, encryption_l
 ## cert_type: Indicates the type of certificate.
 ##
 ## permanently_issued: Value will be true is the certificate(s) is permanent on the server.
-event rdp_server_certificate%(c: connection, cert_type: count, permanently_issued: bool%);
+event rdp_server_certificate%(c: connection, cert_type: count, permanently_issued: bool%);
+
+## Generated when an RDP session becomes encrypted.
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## security_protocol: The security protocol being used for the session.
+event rdp_begin_encryption%(c: connection, security_protocol: count%);
--- a/src/analyzer/protocol/rdp/rdp-protocol.pac
+++ b/src/analyzer/protocol/rdp/rdp-protocol.pac
@ -129,9 +129,9 @@ type RDP_Negotiation_Response = record {
 	length:              uint16; # must be set to 8
 	selected_protocol:   uint32;
 } &let {
-	# Seems to be encrypted after this message if 
-	# selected_protocol > 0
-	enc: bool = $context.connection.go_encrypted(selected_protocol>0);
+	# Seems to be SSL encrypted (maybe CredSSP also?) 
+	# after this message if the selected_protocol is > 0.
+	enc_ssl: bool = $context.connection.go_encrypted(selected_protocol) &if(selected_protocol > 0);
 } &byteorder=littleendian;

 type RDP_Negotiation_Failure = record {
@ -282,7 +282,8 @@ type Server_Security_Data = record {
 } &let {
 	# Seems to be encrypted after this message if 
 	# encryption level is >0
-	enc: bool = $context.connection.go_encrypted(encryption_level>0);
+	# 0 means RDP encryption.
+	enc: bool = $context.connection.go_encrypted(0) &if(encryption_method > 0 && encryption_level > 0);
 } &byteorder=littleendian;

 type Server_Certificate = record {
@ -393,12 +394,16 @@ refine connection RDP_Conn += {
 		is_encrypted_ = false;
 	%}

-	function go_encrypted(should_we: bool): bool
+	function go_encrypted(method: uint32): bool
 		%{
-		if ( should_we )
+		is_encrypted_ = true;
+		if ( rdp_begin_encryption )
 			{
-			is_encrypted_ = true;
+			BifEvent::generate_rdp_begin_encryption(bro_analyzer(),
+			                                        bro_analyzer()->Conn(),
+			                                        ${method});
 			}
+
 		return is_encrypted_;
 		%}