Merge remote-tracking branch 'origin/topic/vlad/rdp_bluekeep'

* origin/topic/vlad/rdp_bluekeep: RDP: Update existing baselines with new client_channels field RDP: Add parsing and logging of channels requested by the client. Can determine capabilities requested by the client, as well as attacks such as CVE-2019-0708
2025-10-09 18:18:19 +00:00 · 2019-05-28 11:32:16 -07:00 · 2019-05-28 11:32:16 -07:00 · 7bc9a3934d
commit 7bc9a3934d
parent f2b7764769 85fc553136
13 changed files with 152 additions and 21 deletions
--- a/scripts/base/protocols/rdp/main.zeek
+++ b/scripts/base/protocols/rdp/main.zeek
@ -23,6 +23,8 @@ export {
 		result:                string  &log &optional;
 		## Security protocol chosen by the server.
 		security_protocol:     string &log &optional;
+		## The channels requested by the client
+		client_channels:       vector of string &log &optional;

 		## Keyboard layout (language) of the client machine.
 		keyboard_layout:       string  &log &optional;
@ -189,6 +191,18 @@ event rdp_client_core_data(c: connection, data: RDP::ClientCoreData) &priority=5
 		c$rdp$requested_color_depth = RDP::high_color_depths[data$high_color_depth];
 	}

+event rdp_client_network_data(c: connection, channels: ClientChannelList)
+	{
+	set_session(c);
+
+	if ( ! c$rdp?$client_channels )
+		c$rdp$client_channels = vector();
+
+	for ( i in channels )
+		# Remove the NULs at the end
+		c$rdp$client_channels[i] = gsub(channels[i]$name, /\x00+$/, "");
+	}
+
 event rdp_gcc_server_create_response(c: connection, result: count) &priority=5
 	{
 	set_session(c);