diff --git a/CHANGES b/CHANGES index 3ecf2b7285..cd53f319a5 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.6-386 | 2019-06-06 17:17:55 -0700 + + * Add new RDP event: rdp_native_encrytped_data (Anthony Kasza, Corelight) + 2.6-384 | 2019-06-06 16:49:14 -0700 * Add new RDP event: rdp_client_security_data (Jeff Atkinson) diff --git a/NEWS b/NEWS index c1e634f0f8..b5d5b23af6 100644 --- a/NEWS +++ b/NEWS @@ -79,9 +79,16 @@ New Functionality - The ``//i`` convenience syntax for case-insensitive patterns is now also allowed when specifying patterns used in signature files. -- Add a new "client_channels" field to rdp.log based on data parsed from - the Client Network Data (TS_UD_CS_NET) packet. The channel list is also - available in a new event, "rdp_client_network_data". +- New RDP functionality. + + - New events: + - rdp_client_network_data + - rdp_client_security_data + - rdp_native_encrypted_data + + - Add a new "client_channels" field to rdp.log based on data parsed from + the Client Network Data (TS_UD_CS_NET) packet. The channel list is also + available in the new ``rdp_client_network_data`` event. Changed Functionality --------------------- diff --git a/VERSION b/VERSION index 1687b4df0c..dea38bed9a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-384 +2.6-386 diff --git a/doc b/doc index 3d41a5efc1..9ca066677c 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 3d41a5efc16406fdd07267c3b6ee05a7530a9c44 +Subproject commit 9ca066677c56d7926ec6a4396b7ef02cb0b3958a diff --git a/src/analyzer/protocol/rdp/RDP.cc b/src/analyzer/protocol/rdp/RDP.cc index f3ceaae699..0f252952bd 100644 --- a/src/analyzer/protocol/rdp/RDP.cc +++ b/src/analyzer/protocol/rdp/RDP.cc @@ -10,7 +10,7 @@ RDP_Analyzer::RDP_Analyzer(Connection* c) : tcp::TCP_ApplicationAnalyzer("RDP", c) { interp = new binpac::RDP::RDP_Conn(this); - + had_gap = false; pia = 0; } @@ -72,6 +72,13 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) ForwardStream(len, data, orig); } + else + { + if ( rdp_native_encrypted_data ) + BifEvent::generate_rdp_native_encrypted_data( + interp->bro_analyzer(), interp->bro_analyzer()->Conn(), + orig, len); + } } else // if not encrypted { diff --git a/src/analyzer/protocol/rdp/events.bif b/src/analyzer/protocol/rdp/events.bif index efb360cd6f..0931365dc6 100644 --- a/src/analyzer/protocol/rdp/events.bif +++ b/src/analyzer/protocol/rdp/events.bif @@ -1,3 +1,12 @@ +## Generated for each packet after RDP native encryption begins +## +## c: The connection record for the underlying transport-layer session/flow. +## +## orig: True if the packet was sent by the originator of the connection. +## +## len: The length of the encrypted data. +event rdp_native_encrypted_data%(c: connection, orig: bool, len: count%); + ## Generated for X.224 client requests. ## ## c: The connection record for the underlying transport-layer session/flow. diff --git a/testing/btest/Baseline/scripts.base.protocols.rdp.rdp-native-encrypted-data/out b/testing/btest/Baseline/scripts.base.protocols.rdp.rdp-native-encrypted-data/out new file mode 100644 index 0000000000..98d86f4d55 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.rdp.rdp-native-encrypted-data/out @@ -0,0 +1,3 @@ +rdp native encrypted data, T, 12 +rdp native encrypted data, T, 8 +rdp native encrypted data, F, 11 diff --git a/testing/btest/scripts/base/protocols/rdp/rdp-native-encrypted-data.zeek b/testing/btest/scripts/base/protocols/rdp/rdp-native-encrypted-data.zeek new file mode 100644 index 0000000000..2c2b84735a --- /dev/null +++ b/testing/btest/scripts/base/protocols/rdp/rdp-native-encrypted-data.zeek @@ -0,0 +1,14 @@ +# @TEST-EXEC: zeek -r $TRACES/rdp/rdp-proprietary-encryption.pcap %INPUT >out +# @TEST-EXEC: btest-diff out + +@load base/protocols/rdp + +event rdp_native_encrypted_data(c: connection, orig: bool, len: count) + { + print "rdp native encrypted data", orig, len; + + if ( ! orig ) + # That's fine to stop here, we don't need to check the entire + # encrypted conversation for the purpose of the unit test. + terminate(); + }