Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'master' of https://github.com/anthonykasza/zeek

Browse source 
* 'master' of https://github.com/anthonykasza/zeek:
  add: rdp_native_encrytped_data event

I added a unit test.
This commit is contained in:
Jon Siwek 2019-06-06 17:17:55 -07:00
commit 7c5e74e577
8 changed files with 50 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -1,4 +1,8 @@
2.6-386 | 2019-06-06 17:17:55 -0700
* Add new RDP event: rdp_native_encrytped_data (Anthony Kasza, Corelight)
2.6-384 | 2019-06-06 16:49:14 -0700 2.6-384 | 2019-06-06 16:49:14 -0700
* Add new RDP event: rdp_client_security_data (Jeff Atkinson) * Add new RDP event: rdp_client_security_data (Jeff Atkinson)

9
NEWS
View file

@ -79,9 +79,16 @@ New Functionality
- The ``/<re>/i`` convenience syntax for case-insensitive patterns is now - The ``/<re>/i`` convenience syntax for case-insensitive patterns is now
also allowed when specifying patterns used in signature files. also allowed when specifying patterns used in signature files.
- New RDP functionality.
- New events:
- rdp_client_network_data
- rdp_client_security_data
- rdp_native_encrypted_data
- Add a new "client_channels" field to rdp.log based on data parsed from - Add a new "client_channels" field to rdp.log based on data parsed from
the Client Network Data (TS_UD_CS_NET) packet. The channel list is also the Client Network Data (TS_UD_CS_NET) packet. The channel list is also
available in a new event, "rdp_client_network_data". available in the new ``rdp_client_network_data`` event.
Changed Functionality Changed Functionality
--------------------- ---------------------

2
VERSION
View file

@ -1 +1 @@
2.6-384 2.6-386

2
doc

@ -1 +1 @@
Subproject commit 3d41a5efc16406fdd07267c3b6ee05a7530a9c44 Subproject commit 9ca066677c56d7926ec6a4396b7ef02cb0b3958a

7
src/analyzer/protocol/rdp/RDP.cc
View file

@ -72,6 +72,13 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
ForwardStream(len, data, orig); ForwardStream(len, data, orig);
} }
else
{
if ( rdp_native_encrypted_data )
BifEvent::generate_rdp_native_encrypted_data(
interp->bro_analyzer(), interp->bro_analyzer()->Conn(),
orig, len);
}
} }
else // if not encrypted else // if not encrypted
{ {

9
src/analyzer/protocol/rdp/events.bif
View file

@ -1,3 +1,12 @@
## Generated for each packet after RDP native encryption begins
##
## c: The connection record for the underlying transport-layer session/flow.
##
## orig: True if the packet was sent by the originator of the connection.
##
## len: The length of the encrypted data.
event rdp_native_encrypted_data%(c: connection, orig: bool, len: count%);
## Generated for X.224 client requests. ## Generated for X.224 client requests.
## ##
## c: The connection record for the underlying transport-layer session/flow. ## c: The connection record for the underlying transport-layer session/flow.

3
testing/btest/Baseline/scripts.base.protocols.rdp.rdp-native-encrypted-data/out Normal file
View file

@ -0,0 +1,3 @@
rdp native encrypted data, T, 12
rdp native encrypted data, T, 8
rdp native encrypted data, F, 11

14
testing/btest/scripts/base/protocols/rdp/rdp-native-encrypted-data.zeek Normal file
View file

@ -0,0 +1,14 @@
# @TEST-EXEC: zeek -r $TRACES/rdp/rdp-proprietary-encryption.pcap %INPUT >out
# @TEST-EXEC: btest-diff out
@load base/protocols/rdp
event rdp_native_encrypted_data(c: connection, orig: bool, len: count)
{
print "rdp native encrypted data", orig, len;
if ( ! orig )
# That's fine to stop here, we don't need to check the entire
# encrypted conversation for the purpose of the unit test.
terminate();
}