From 0b5acebfb9dffaaa5c9383d58a47b6aea6800d79 Mon Sep 17 00:00:00 2001
From: Anthony Kasza <ak@corelight.com>
Date: Thu, 6 Jun 2019 13:52:09 -0600
Subject: [PATCH] add: rdp_native_encrytped_data event

---
 src/analyzer/protocol/rdp/RDP.cc     | 7 ++++++-
 src/analyzer/protocol/rdp/events.bif | 9 +++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/rdp/RDP.cc b/src/analyzer/protocol/rdp/RDP.cc
index f3ceaae699..30c80af5a1 100644
--- a/src/analyzer/protocol/rdp/RDP.cc
+++ b/src/analyzer/protocol/rdp/RDP.cc
@@ -10,7 +10,7 @@ RDP_Analyzer::RDP_Analyzer(Connection* c)
 	: tcp::TCP_ApplicationAnalyzer("RDP", c)
 	{
 	interp = new binpac::RDP::RDP_Conn(this);
-	
+
 	had_gap = false;
 	pia = 0;
 	}
@@ -72,6 +72,11 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 
 			ForwardStream(len, data, orig);
 			}
+		else
+			{
+			BifEvent::generate_rdp_native_encrypted_data(interp->bro_analyzer(),
+				interp->bro_analyzer()->Conn(), orig, len);
+			}
 		}
 	else // if not encrypted
 		{
diff --git a/src/analyzer/protocol/rdp/events.bif b/src/analyzer/protocol/rdp/events.bif
index 463e3b8d07..ef9f9d247e 100644
--- a/src/analyzer/protocol/rdp/events.bif
+++ b/src/analyzer/protocol/rdp/events.bif
@@ -1,3 +1,12 @@
+## Generated for each packet after RDP native encryption begins
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## orig: True if the packet was sent by the originator of the connection.
+##
+## len: The length of the encrypted data.
+event rdp_native_encrypted_data%(c: connection, orig: bool, len: count%);
+
 ## Generated for X.224 client requests.
 ##
 ## c: The connection record for the underlying transport-layer session/flow.