Merge branch 'master' of https://github.com/anthonykasza/zeek

* 'master' of https://github.com/anthonykasza/zeek:
  add: rdp_native_encrytped_data event

I added a unit test.

CHANGES

@@ -1,4 +1,8 @@
 
+2.6-386 | 2019-06-06 17:17:55 -0700
+
+  * Add new RDP event: rdp_native_encrytped_data (Anthony Kasza, Corelight)
+
 2.6-384 | 2019-06-06 16:49:14 -0700
 
   * Add new RDP event: rdp_client_security_data (Jeff Atkinson)

NEWS

@@ -79,9 +79,16 @@ New Functionality
 - The ``/<re>/i`` convenience syntax for case-insensitive patterns is now
   also allowed when specifying patterns used in signature files.
 
-- Add a new "client_channels" field to rdp.log based on data parsed from
+- New RDP functionality.
-  the Client Network Data (TS_UD_CS_NET) packet.  The channel list is also
+
-  available in a new event, "rdp_client_network_data".
+  - New events:
+    - rdp_client_network_data
+    - rdp_client_security_data
+    - rdp_native_encrypted_data
+
+  - Add a new "client_channels" field to rdp.log based on data parsed from
+    the Client Network Data (TS_UD_CS_NET) packet.  The channel list is also
+    available in the new ``rdp_client_network_data`` event.
 
 Changed Functionality
 ---------------------

VERSION

@@ -1 +1 @@
-2.6-384
+2.6-386

doc

@@ -1 +1 @@
-Subproject commit 3d41a5efc16406fdd07267c3b6ee05a7530a9c44
+Subproject commit 9ca066677c56d7926ec6a4396b7ef02cb0b3958a

src/analyzer/protocol/rdp/RDP.cc

@@ -10,7 +10,7 @@ RDP_Analyzer::RDP_Analyzer(Connection* c)
 	: tcp::TCP_ApplicationAnalyzer("RDP", c)
 	{
 	interp = new binpac::RDP::RDP_Conn(this);
-	
+
 	had_gap = false;
 	pia = 0;
 	}
@@ -72,6 +72,13 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 
 			ForwardStream(len, data, orig);
 			}
+		else
+			{
+			if ( rdp_native_encrypted_data )
+				BifEvent::generate_rdp_native_encrypted_data(
+				        interp->bro_analyzer(), interp->bro_analyzer()->Conn(),
+				        orig, len);
+			}
 		}
 	else // if not encrypted
 		{

src/analyzer/protocol/rdp/events.bif

@@ -1,3 +1,12 @@
+## Generated for each packet after RDP native encryption begins
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## orig: True if the packet was sent by the originator of the connection.
+##
+## len: The length of the encrypted data.
+event rdp_native_encrypted_data%(c: connection, orig: bool, len: count%);
+
 ## Generated for X.224 client requests.
 ##
 ## c: The connection record for the underlying transport-layer session/flow.

testing/btest/Baseline/scripts.base.protocols.rdp.rdp-native-encrypted-data/out

@@ -0,0 +1,3 @@
+rdp native encrypted data, T, 12
+rdp native encrypted data, T, 8
+rdp native encrypted data, F, 11

testing/btest/scripts/base/protocols/rdp/rdp-native-encrypted-data.zeek

@@ -0,0 +1,14 @@
+# @TEST-EXEC: zeek -r $TRACES/rdp/rdp-proprietary-encryption.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/rdp
+
+event rdp_native_encrypted_data(c: connection, orig: bool, len: count)
+	{
+	print "rdp native encrypted data", orig, len;
+
+	if ( ! orig )
+		# That's fine to stop here, we don't need to check the entire
+		# encrypted conversation for the purpose of the unit test.
+		terminate();
+	}