RDP: Add parsing and logging of channels requested by the client. Can determine capabilities requested by the client, as well as attacks such as CVE-2019-0708

2025-10-02 06:38:20 +00:00 · 2019-05-28 09:25:50 -05:00 · 2019-05-28 09:25:50 -05:00 · 8eb14fcb83
commit 8eb14fcb83
parent d886f40728
6 changed files with 126 additions and 1 deletions
--- a/scripts/base/protocols/rdp/main.zeek
+++ b/scripts/base/protocols/rdp/main.zeek
@ -23,6 +23,8 @@ export {
 		result:                string  &log &optional;
 		## Security protocol chosen by the server.
 		security_protocol:     string &log &optional;
+		## The channels requested by the client
+		client_channels: vector of string &log &optional;

 		## Keyboard layout (language) of the client machine.
 		keyboard_layout:       string  &log &optional;
@ -189,6 +191,21 @@ event rdp_client_core_data(c: connection, data: RDP::ClientCoreData) &priority=5
 		c$rdp$requested_color_depth = RDP::high_color_depths[data$high_color_depth];
 	}

+event rdp_client_network_data(c: connection, channels: ClientChannelList)
+	{
+	set_session(c);
+	if ( ! c$rdp?$client_channels )
+		{
+		c$rdp$client_channels = vector();
+		}
+
+	for (i in channels) {
+		# Remove the NULs at the end
+		c$rdp$client_channels[i] = gsub(channels[i]$name, /\x00+$/, "");
+		}
+
+	}
+
 event rdp_gcc_server_create_response(c: connection, result: count) &priority=5
 	{
 	set_session(c);