A few more changes to handling encryption in RDP.

scripts/base/protocols/rdp/main.bro

@@ -19,6 +19,8 @@ export {
 		## RDP negotation failure messages and GCC server create
 		## response messages.
 		result:                string  &log &optional;
+		## Security protocol chosen by the server.
+		security_protocol:     string &log &optional;
 
 		## Keyboard layout     (language) of the client machine.
 		keyboard_layout:       string  &log &optional;
@@ -46,8 +48,6 @@ export {
 		## Indicates if the provided certificate or certificate
 		## chain is permanent or temporary.
 		cert_permanent:        bool    &log &optional;
-		## Security protocol chosen by the server.
-		selected_security_protocol: string &log &optional;
 		## Encryption level of the connection.
 		encryption_level:      string  &log &optional;
 		## Encryption method of the connection. 
@@ -155,11 +155,11 @@ event rdp_connect_request(c: connection, cookie: string) &priority=5
 	c$rdp$cookie = cookie;
 	}
 
-event rdp_negotiation_response(c: connection, selected_security_protocol: count) &priority=5
+event rdp_negotiation_response(c: connection, security_protocol: count) &priority=5
 	{
 	set_session(c);
 
-	c$rdp$selected_security_protocol = security_protocols[selected_security_protocol];
+	c$rdp$security_protocol = security_protocols[security_protocol];
 	}
 
 event rdp_negotiation_failure(c: connection, failure_code: count) &priority=5
@@ -214,6 +214,17 @@ event rdp_server_certificate(c: connection, cert_type: count, permanently_issued
 	c$rdp$cert_permanent = permanently_issued;
 	}
 
+event rdp_begin_encryption(c: connection, security_protocol: count) &priority=5
+	{
+	set_session(c);
+
+	if ( ! c$rdp?$result )
+		{
+		c$rdp$result = "encrypted";
+		}
+	c$rdp$security_protocol = security_protocols[security_protocol];
+	}
+
 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
 	{
 	if ( c?$rdp && f$source == "RDP" )

src/analyzer/protocol/rdp/events.bif

@@ -9,8 +9,8 @@ event rdp_connect_request%(c: connection, cookie: string%);
 ##
 ## c: The connection record for the underlying transport-layer session/flow.
 ##
-## selected_security_protocol: The security protocol selected by the server.
-event rdp_negotiation_response%(c: connection, selected_security_protocol: count%);
+## security_protocol: The security protocol selected by the server.
+event rdp_negotiation_response%(c: connection, security_protocol: count%);
 
 ## Generated for RDP Negotiation Failure messages.
 ##
@@ -51,4 +51,11 @@ event rdp_server_security%(c: connection, encryption_method: count, encryption_l
 ## cert_type: Indicates the type of certificate.
 ##
 ## permanently_issued: Value will be true is the certificate(s) is permanent on the server.
-event rdp_server_certificate%(c: connection, cert_type: count, permanently_issued: bool%);
+event rdp_server_certificate%(c: connection, cert_type: count, permanently_issued: bool%);
+
+## Generated when an RDP session becomes encrypted.
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## security_protocol: The security protocol being used for the session.
+event rdp_begin_encryption%(c: connection, security_protocol: count%);

src/analyzer/protocol/rdp/rdp-protocol.pac

@@ -129,9 +129,9 @@ type RDP_Negotiation_Response = record {
 	length:              uint16; # must be set to 8
 	selected_protocol:   uint32;
 } &let {
-	# Seems to be encrypted after this message if 
-	# selected_protocol > 0
-	enc: bool = $context.connection.go_encrypted(selected_protocol>0);
+	# Seems to be SSL encrypted (maybe CredSSP also?) 
+	# after this message if the selected_protocol is > 0.
+	enc_ssl: bool = $context.connection.go_encrypted(selected_protocol) &if(selected_protocol > 0);
 } &byteorder=littleendian;
 
 type RDP_Negotiation_Failure = record {
@@ -282,7 +282,8 @@ type Server_Security_Data = record {
 } &let {
 	# Seems to be encrypted after this message if 
 	# encryption level is >0
-	enc: bool = $context.connection.go_encrypted(encryption_level>0);
+	# 0 means RDP encryption.
+	enc: bool = $context.connection.go_encrypted(0) &if(encryption_method > 0 && encryption_level > 0);
 } &byteorder=littleendian;
 
 type Server_Certificate = record {
@@ -393,12 +394,16 @@ refine connection RDP_Conn += {
 		is_encrypted_ = false;
 	%}
 
-	function go_encrypted(should_we: bool): bool
+	function go_encrypted(method: uint32): bool
 		%{
-		if ( should_we )
+		is_encrypted_ = true;
+		if ( rdp_begin_encryption )
 			{
-			is_encrypted_ = true;
+			BifEvent::generate_rdp_begin_encryption(bro_analyzer(),
+			                                        bro_analyzer()->Conn(),
+			                                        ${method});
 			}
+
 		return is_encrypted_;
 		%}
 

testing/btest/Baseline/scripts.base.protocols.rdp.rdp-proprietary-encryption/rdp.log

@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	rdp
-#open	2015-03-05-06-05-01
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cookie	result	keyboard_layout	client_build	client_name	client_dig_product_id	desktop_width	desktop_height	requested_color_depth	cert_type	cert_count	cert_permanent	selected_security_protocol	encryption_level	encryption_method
-#types	time	string	addr	port	addr	port	string	string	string	string	string	string	count	count	string	string	count	bool	string	string	string
-1193369795.014346	CXWv6p3arKYeMETxOg	172.21.128.16	1311	10.226.24.52	3389	FTBCO\A70	SSL_NOT_ALLOWED_BY_SERVER	-	-	-	-	-	-	-	-	0	-	-	-	-
-1193369797.582740	CjhGID4nQcgTWjvg4c	172.21.128.16	1312	10.226.24.52	3389	FTBCO\A70	Success	English - United States	RDP 6.0	FROG-POND	(empty)	1152	864	32bit	RSA	1	T	RDP	High	128bit
-#close	2015-03-05-06-05-01
+#open	2015-03-05-18-37-55
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cookie	result	security_protocol	keyboard_layout	client_build	client_name	client_dig_product_id	desktop_width	desktop_height	requested_color_depth	cert_type	cert_count	cert_permanent	encryption_level	encryption_method
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	string	count	count	string	string	count	bool	string	string
+1193369795.014346	CXWv6p3arKYeMETxOg	172.21.128.16	1311	10.226.24.52	3389	FTBCO\A70	SSL_NOT_ALLOWED_BY_SERVER	-	-	-	-	-	-	-	-	-	0	-	-	-
+1193369797.582740	CjhGID4nQcgTWjvg4c	172.21.128.16	1312	10.226.24.52	3389	FTBCO\A70	Success	RDP	English - United States	RDP 6.0	FROG-POND	(empty)	1152	864	32bit	RSA	1	T	High	128bit
+#close	2015-03-05-18-37-55

testing/btest/Baseline/scripts.base.protocols.rdp.rdp-to-ssl/rdp.log

@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	rdp
-#open	2015-03-05-05-25-45
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cookie	result	keyboard_layout	client_build	client_name	client_dig_product_id	desktop_width	desktop_height	requested_color_depth	cert_type	cert_count	cert_permanent	selected_security_protocol	encryption_level	encryption_method
-#types	time	string	addr	port	addr	port	string	string	string	string	string	string	count	count	string	string	count	bool	string	string	string
-1297551041.284715	CXWv6p3arKYeMETxOg	192.168.1.200	49206	192.168.1.150	3389	AWAKECODI	-	-	-	-	-	-	-	-	-	0	-	HYBRID	-	-
-1297551078.958821	CjhGID4nQcgTWjvg4c	192.168.1.200	49207	192.168.1.150	3389	AWAKECODI	-	-	-	-	-	-	-	-	-	0	-	HYBRID	-	-
-#close	2015-03-05-05-25-45
+#open	2015-03-05-18-38-05
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cookie	result	security_protocol	keyboard_layout	client_build	client_name	client_dig_product_id	desktop_width	desktop_height	requested_color_depth	cert_type	cert_count	cert_permanent	encryption_level	encryption_method
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	string	count	count	string	string	count	bool	string	string
+1297551041.284715	CXWv6p3arKYeMETxOg	192.168.1.200	49206	192.168.1.150	3389	AWAKECODI	encrypted	HYBRID	-	-	-	-	-	-	-	-	0	-	-	-
+1297551078.958821	CjhGID4nQcgTWjvg4c	192.168.1.200	49207	192.168.1.150	3389	AWAKECODI	encrypted	HYBRID	-	-	-	-	-	-	-	-	0	-	-	-
+#close	2015-03-05-18-38-05

testing/btest/Baseline/scripts.base.protocols.rdp.rdp-x509/rdp.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	rdp
-#open	2015-03-05-05-26-13
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cookie	result	keyboard_layout	client_build	client_name	client_dig_product_id	desktop_width	desktop_height	requested_color_depth	cert_type	cert_count	cert_permanent	selected_security_protocol	encryption_level	encryption_method
-#types	time	string	addr	port	addr	port	string	string	string	string	string	string	count	count	string	string	count	bool	string	string	string
-1423755598.202845	CXWv6p3arKYeMETxOg	192.168.1.1	54990	192.168.1.2	3389	JOHN-PC  	Success	English - United States	RDP 8.1	JOHN-PC-LAPTOP	3c571ed0-3415-474b-ae94-74e151b	1920	1080	16bit	X.509	2	F	RDP	Client compatible	128bit
-#close	2015-03-05-05-26-13
+#open	2015-03-05-18-38-10
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cookie	result	security_protocol	keyboard_layout	client_build	client_name	client_dig_product_id	desktop_width	desktop_height	requested_color_depth	cert_type	cert_count	cert_permanent	encryption_level	encryption_method
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	string	count	count	string	string	count	bool	string	string
+1423755598.202845	CXWv6p3arKYeMETxOg	192.168.1.1	54990	192.168.1.2	3389	JOHN-PC  	Success	RDP	English - United States	RDP 8.1	JOHN-PC-LAPTOP	3c571ed0-3415-474b-ae94-74e151b	1920	1080	16bit	X.509	2	F	Client compatible	128bit
+#close	2015-03-05-18-38-10