From 3a19af86c59509f35dd16bb199e75a707c628202 Mon Sep 17 00:00:00 2001
From: jatkinosn <jeff.atkinosn@verizonmedia.com>
Date: Thu, 20 Jun 2019 10:47:05 -0400
Subject: [PATCH] Fixing types.

Added handling for fields sub fields.

Added test script and output.
---
 scripts/base/init-bare.zeek                   |  8 ++++--
 src/analyzer/protocol/rdp/rdp-analyzer.pac    |  4 +++
 src/analyzer/protocol/rdp/rdp-protocol.pac    |  4 +--
 .../out                                       | 12 ++++++++
 .../rdp/rdp-client-cluster-data.zeek          | 28 +++++++++++++++++++
 5 files changed, 52 insertions(+), 4 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.rdp.rdp-client-cluster_data/out
 create mode 100644 testing/btest/scripts/base/protocols/rdp/rdp-client-cluster-data.zeek

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index f40b1a6fbe..728077e062 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -4307,8 +4307,12 @@ export {
 	};
 
         type RDP::ClientClusterData: record {
-                flags:                  count;
-                redir_session_id:       count;
+                flags:                  		count;
+                redir_session_id:       		count;
+		redir_supported:			bool;
+		svr_session_redir_version_mask:		count;
+		redir_sessionid_field_valid:		count;
+		redir_smartcard:			bool;
         };
 
 	## The list of channels requested by the client.
diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac
index 3007529f98..2355ceab79 100644
--- a/src/analyzer/protocol/rdp/rdp-analyzer.pac
+++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac
@@ -164,6 +164,10 @@ refine flow RDP_Flow += {
                 RecordVal* ccld = new RecordVal(BifType::Record::RDP::ClientClusterData);
 		ccld->Assign(0, val_mgr->GetCount(${ccluster.flags}));
 		ccld->Assign(1, val_mgr->GetCount(${ccluster.redir_session_id}));
+ 		ccld->Assign(2, val_mgr->GetBool(${ccluster.REDIRECTION_SUPPORTED}));
+ 		ccld->Assign(3, val_mgr->GetCount(${ccluster.SERVER_SESSION_REDIRECTION_VERSION_MASK}));
+ 		ccld->Assign(4, val_mgr->GetCount(${ccluster.REDIRECTED_SESSIONID_FIELD_VALID}));
+ 		ccld->Assign(5, val_mgr->GetBool(${ccluster.REDIRECTED_SMARTCARD}));
 
                 BifEvent::generate_rdp_client_cluster_data(connection()->bro_analyzer(),
                                                             connection()->bro_analyzer()->Conn(),
diff --git a/src/analyzer/protocol/rdp/rdp-protocol.pac b/src/analyzer/protocol/rdp/rdp-protocol.pac
index f10dcf0af4..bcf5e89a2e 100644
--- a/src/analyzer/protocol/rdp/rdp-protocol.pac
+++ b/src/analyzer/protocol/rdp/rdp-protocol.pac
@@ -235,8 +235,8 @@ type Client_Cluster_Data = record {
 	redir_session_id: uint32;
 } &let {
 	REDIRECTION_SUPPORTED:				bool = redir_session_id & 0x00000001;
-	SERVER_SESSION_REDIRECTION_VERSION_MASK:	int = (redir_session_id & 0x0000003C);
-	REDIRECTED_SESSIONID_FIELD_VALID:		int = (redir_session_id & 0x00000002);
+	SERVER_SESSION_REDIRECTION_VERSION_MASK:	uint8 = (redir_session_id & 0x0000003C);
+	REDIRECTED_SESSIONID_FIELD_VALID:		uint8 = (redir_session_id & 0x00000002);
 	REDIRECTED_SMARTCARD:				bool = redir_session_id & 0x00000040;
 } &byteorder=littleendian;
 
diff --git a/testing/btest/Baseline/scripts.base.protocols.rdp.rdp-client-cluster_data/out b/testing/btest/Baseline/scripts.base.protocols.rdp.rdp-client-cluster_data/out
new file mode 100644
index 0000000000..53973a2324
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.rdp.rdp-client-cluster_data/out
@@ -0,0 +1,12 @@
+RDP Client Cluster Data
+Flags: 0000000d
+RedirSessionId: 00000000
+Redirection Supported: 00000000
+ServerSessionRedirectionVersionMask: 00000000
+RedirectionSessionIDFieldValid: 00000000
+RedirectedSmartCard: 00000000
+RDP Client Channel List Options
+80800000
+c0000000
+c0800000
+c0a00000
diff --git a/testing/btest/scripts/base/protocols/rdp/rdp-client-cluster-data.zeek b/testing/btest/scripts/base/protocols/rdp/rdp-client-cluster-data.zeek
new file mode 100644
index 0000000000..97a711209a
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/rdp/rdp-client-cluster-data.zeek
@@ -0,0 +1,28 @@
+# @TEST-EXEC: zeek -r $TRACES/rdp/rdp-proprietary-encryption.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+@load base/protocol/rdp
+
+
+event rdp_client_cluster_data(c: connection, data: RDP::ClientClusterData)
+{
+print "RDP Client Cluster Data";
+#print data;
+print fmt("Flags: %08x",data$flags);
+print fmt("RedirSessionId: %08x",data$redir_session_id);
+print fmt("Redirection Supported: %08x",data$redir_supported);
+print fmt("ServerSessionRedirectionVersionMask: %08x",data$svr_session_redir_version_mask);
+print fmt("RedirectionSessionIDFieldValid: %08x",data$redir_sessionid_field_valid);
+print fmt("RedirectedSmartCard: %08x",data$redir_smartcard);
+
+}
+
+
+event rdp_client_network_data(c: connection, channels: RDP::ClientChannelList)
+{
+print "RDP Client Channel List Options";
+for ( i in channels ) {
+    print fmt("%08x", channels[i]$options);
+  }
+}
+