mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
A few more changes to handling encryption in RDP.
This commit is contained in:
Seth Hall
parent
b92a68e2bd
commit
276e072e6e
6 changed files with 54 additions and 31 deletions
|
|
@ -19,6 +19,8 @@ export {
|
|||
## RDP negotation failure messages and GCC server create
|
||||
## response messages.
|
||||
result: string &log &optional;
|
||||
## Security protocol chosen by the server.
|
||||
security_protocol: string &log &optional;
|
||||
|
||||
## Keyboard layout (language) of the client machine.
|
||||
keyboard_layout: string &log &optional;
|
||||
|
|
@ -46,8 +48,6 @@ export {
|
|||
## Indicates if the provided certificate or certificate
|
||||
## chain is permanent or temporary.
|
||||
cert_permanent: bool &log &optional;
|
||||
## Security protocol chosen by the server.
|
||||
selected_security_protocol: string &log &optional;
|
||||
## Encryption level of the connection.
|
||||
encryption_level: string &log &optional;
|
||||
## Encryption method of the connection.
|
||||
|
|
@ -155,11 +155,11 @@ event rdp_connect_request(c: connection, cookie: string) &priority=5
|
|||
c$rdp$cookie = cookie;
|
||||
}
|
||||
|
||||
event rdp_negotiation_response(c: connection, selected_security_protocol: count) &priority=5
|
||||
event rdp_negotiation_response(c: connection, security_protocol: count) &priority=5
|
||||
{
|
||||
set_session(c);
|
||||
|
||||
c$rdp$selected_security_protocol = security_protocols[selected_security_protocol];
|
||||
c$rdp$security_protocol = security_protocols[security_protocol];
|
||||
}
|
||||
|
||||
event rdp_negotiation_failure(c: connection, failure_code: count) &priority=5
|
||||
|
|
@ -214,6 +214,17 @@ event rdp_server_certificate(c: connection, cert_type: count, permanently_issued
|
|||
c$rdp$cert_permanent = permanently_issued;
|
||||
}
|
||||
|
||||
event rdp_begin_encryption(c: connection, security_protocol: count) &priority=5
|
||||
{
|
||||
set_session(c);
|
||||
|
||||
if ( ! c$rdp?$result )
|
||||
{
|
||||
c$rdp$result = "encrypted";
|
||||
}
|
||||
c$rdp$security_protocol = security_protocols[security_protocol];
|
||||
}
|
||||
|
||||
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
|
||||
{
|
||||
if ( c?$rdp && f$source == "RDP" )
|
||||
|
|
|
|||
|
|
@ -9,8 +9,8 @@ event rdp_connect_request%(c: connection, cookie: string%);
|
|||
##
|
||||
## c: The connection record for the underlying transport-layer session/flow.
|
||||
##
|
||||
## selected_security_protocol: The security protocol selected by the server.
|
||||
event rdp_negotiation_response%(c: connection, selected_security_protocol: count%);
|
||||
## security_protocol: The security protocol selected by the server.
|
||||
event rdp_negotiation_response%(c: connection, security_protocol: count%);
|
||||
|
||||
## Generated for RDP Negotiation Failure messages.
|
||||
##
|
||||
|
|
@ -52,3 +52,10 @@ event rdp_server_security%(c: connection, encryption_method: count, encryption_l
|
|||
##
|
||||
## permanently_issued: Value will be true is the certificate(s) is permanent on the server.
|
||||
event rdp_server_certificate%(c: connection, cert_type: count, permanently_issued: bool%);
|
||||
|
||||
## Generated when an RDP session becomes encrypted.
|
||||
##
|
||||
## c: The connection record for the underlying transport-layer session/flow.
|
||||
##
|
||||
## security_protocol: The security protocol being used for the session.
|
||||
event rdp_begin_encryption%(c: connection, security_protocol: count%);
|
||||
|
|
@ -129,9 +129,9 @@ type RDP_Negotiation_Response = record {
|
|||
length: uint16; # must be set to 8
|
||||
selected_protocol: uint32;
|
||||
} &let {
|
||||
# Seems to be encrypted after this message if
|
||||
# selected_protocol > 0
|
||||
enc: bool = $context.connection.go_encrypted(selected_protocol>0);
|
||||
# Seems to be SSL encrypted (maybe CredSSP also?)
|
||||
# after this message if the selected_protocol is > 0.
|
||||
enc_ssl: bool = $context.connection.go_encrypted(selected_protocol) &if(selected_protocol > 0);
|
||||
} &byteorder=littleendian;
|
||||
|
||||
type RDP_Negotiation_Failure = record {
|
||||
|
|
@ -282,7 +282,8 @@ type Server_Security_Data = record {
|
|||
} &let {
|
||||
# Seems to be encrypted after this message if
|
||||
# encryption level is >0
|
||||
enc: bool = $context.connection.go_encrypted(encryption_level>0);
|
||||
# 0 means RDP encryption.
|
||||
enc: bool = $context.connection.go_encrypted(0) &if(encryption_method > 0 && encryption_level > 0);
|
||||
} &byteorder=littleendian;
|
||||
|
||||
type Server_Certificate = record {
|
||||
|
|
@ -393,12 +394,16 @@ refine connection RDP_Conn += {
|
|||
is_encrypted_ = false;
|
||||
%}
|
||||
|
||||
function go_encrypted(should_we: bool): bool
|
||||
function go_encrypted(method: uint32): bool
|
||||
%{
|
||||
if ( should_we )
|
||||
is_encrypted_ = true;
|
||||
if ( rdp_begin_encryption )
|
||||
{
|
||||
is_encrypted_ = true;
|
||||
BifEvent::generate_rdp_begin_encryption(bro_analyzer(),
|
||||
bro_analyzer()->Conn(),
|
||||
${method});
|
||||
}
|
||||
|
||||
return is_encrypted_;
|
||||
%}
|
||||
|
||||
|
|
|
|||
|
|
@ -3,9 +3,9 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path rdp
|
||||
#open 2015-03-05-06-05-01
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cookie result keyboard_layout client_build client_name client_dig_product_id desktop_width desktop_height requested_color_depth cert_type cert_count cert_permanent selected_security_protocol encryption_level encryption_method
|
||||
#types time string addr port addr port string string string string string string count count string string count bool string string string
|
||||
1193369795.014346 CXWv6p3arKYeMETxOg 172.21.128.16 1311 10.226.24.52 3389 FTBCO\A70 SSL_NOT_ALLOWED_BY_SERVER - - - - - - - - 0 - - - -
|
||||
1193369797.582740 CjhGID4nQcgTWjvg4c 172.21.128.16 1312 10.226.24.52 3389 FTBCO\A70 Success English - United States RDP 6.0 FROG-POND (empty) 1152 864 32bit RSA 1 T RDP High 128bit
|
||||
#close 2015-03-05-06-05-01
|
||||
#open 2015-03-05-18-37-55
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cookie result security_protocol keyboard_layout client_build client_name client_dig_product_id desktop_width desktop_height requested_color_depth cert_type cert_count cert_permanent encryption_level encryption_method
|
||||
#types time string addr port addr port string string string string string string string count count string string count bool string string
|
||||
1193369795.014346 CXWv6p3arKYeMETxOg 172.21.128.16 1311 10.226.24.52 3389 FTBCO\A70 SSL_NOT_ALLOWED_BY_SERVER - - - - - - - - - 0 - - -
|
||||
1193369797.582740 CjhGID4nQcgTWjvg4c 172.21.128.16 1312 10.226.24.52 3389 FTBCO\A70 Success RDP English - United States RDP 6.0 FROG-POND (empty) 1152 864 32bit RSA 1 T High 128bit
|
||||
#close 2015-03-05-18-37-55
|
||||
|
|
|
|||
|
|
@ -3,9 +3,9 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path rdp
|
||||
#open 2015-03-05-05-25-45
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cookie result keyboard_layout client_build client_name client_dig_product_id desktop_width desktop_height requested_color_depth cert_type cert_count cert_permanent selected_security_protocol encryption_level encryption_method
|
||||
#types time string addr port addr port string string string string string string count count string string count bool string string string
|
||||
1297551041.284715 CXWv6p3arKYeMETxOg 192.168.1.200 49206 192.168.1.150 3389 AWAKECODI - - - - - - - - - 0 - HYBRID - -
|
||||
1297551078.958821 CjhGID4nQcgTWjvg4c 192.168.1.200 49207 192.168.1.150 3389 AWAKECODI - - - - - - - - - 0 - HYBRID - -
|
||||
#close 2015-03-05-05-25-45
|
||||
#open 2015-03-05-18-38-05
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cookie result security_protocol keyboard_layout client_build client_name client_dig_product_id desktop_width desktop_height requested_color_depth cert_type cert_count cert_permanent encryption_level encryption_method
|
||||
#types time string addr port addr port string string string string string string string count count string string count bool string string
|
||||
1297551041.284715 CXWv6p3arKYeMETxOg 192.168.1.200 49206 192.168.1.150 3389 AWAKECODI encrypted HYBRID - - - - - - - - 0 - - -
|
||||
1297551078.958821 CjhGID4nQcgTWjvg4c 192.168.1.200 49207 192.168.1.150 3389 AWAKECODI encrypted HYBRID - - - - - - - - 0 - - -
|
||||
#close 2015-03-05-18-38-05
|
||||
|
|
|
|||
|
|
@ -3,8 +3,8 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path rdp
|
||||
#open 2015-03-05-05-26-13
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cookie result keyboard_layout client_build client_name client_dig_product_id desktop_width desktop_height requested_color_depth cert_type cert_count cert_permanent selected_security_protocol encryption_level encryption_method
|
||||
#types time string addr port addr port string string string string string string count count string string count bool string string string
|
||||
1423755598.202845 CXWv6p3arKYeMETxOg 192.168.1.1 54990 192.168.1.2 3389 JOHN-PC Success English - United States RDP 8.1 JOHN-PC-LAPTOP 3c571ed0-3415-474b-ae94-74e151b 1920 1080 16bit X.509 2 F RDP Client compatible 128bit
|
||||
#close 2015-03-05-05-26-13
|
||||
#open 2015-03-05-18-38-10
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cookie result security_protocol keyboard_layout client_build client_name client_dig_product_id desktop_width desktop_height requested_color_depth cert_type cert_count cert_permanent encryption_level encryption_method
|
||||
#types time string addr port addr port string string string string string string string count count string string count bool string string
|
||||
1423755598.202845 CXWv6p3arKYeMETxOg 192.168.1.1 54990 192.168.1.2 3389 JOHN-PC Success RDP English - United States RDP 8.1 JOHN-PC-LAPTOP 3c571ed0-3415-474b-ae94-74e151b 1920 1080 16bit X.509 2 F Client compatible 128bit
|
||||
#close 2015-03-05-18-38-10
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue