Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 18:48:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Added comments, changed logging events to reduce analyzer errors

Browse source
This commit is contained in:
Josh Liburdi 2015-02-15 22:43:31 -08:00
parent a3ab9f5b09
commit 90bfbf9002
1 changed files with 94 additions and 71 deletions
Download patch file Download diff file Expand all files Collapse all files

159
scripts/base/protocols/rdp/main.bro
View file

@ -29,10 +29,24 @@ export {
encryption_level: string &log &optional; encryption_level: string &log &optional;
## Encryption method of the connection. ## Encryption method of the connection.
encryption_method: string &log &optional; encryption_method: string &log &optional;
## The analyzer ID used for the analyzer instance attached
## to each connection. It is not used for logging since it's a
## meaningless arbitrary number.
analyzer_id: count &optional;
## Track status of logging RDP connections. ## Track status of logging RDP connections.
done: bool &default=F; done: bool &default=F;
}; };
## If true, detach the RDP analyzer from the connection to prevent
## continuing to process encrypted traffic. Helps with performance
## (especially with large file transfers).
const disable_analyzer_after_detection = T &redef;
## The amount of time to monitor an RDP session from when it is first
## identified. When this interval is reached, the session is logged.
const rdp_interval = 10secs &redef;
## Event that can be handled to access the rdp record as it is sent on ## Event that can be handled to access the rdp record as it is sent on
## to the logging framework. ## to the logging framework.
global log_rdp: event(rec: Info); global log_rdp: event(rec: Info);
@ -51,81 +65,71 @@ event bro_init() &priority=5
Analyzer::register_for_ports(Analyzer::ANALYZER_RDP, ports); Analyzer::register_for_ports(Analyzer::ANALYZER_RDP, ports);
} }
# Verify that the RDP session contains
# RDP data before writing it to the log.
function verify_rdp(c: connection)
{
local info = c$rdp;
if ( info?$cookie || info?$keyboard_layout || info?$result )
Log::write(RDP::LOG,info);
else
Reporter::error("RDP analyzer was initialized but no data was found");
}
event log_record(c: connection, remove_analyzer: bool)
{
# If the record was logged, then stop processing.
if ( c$rdp$done )
return;
# If the analyzer is no logger attached, then
# log the record and stop processing.
if ( ! remove_analyzer )
{
c$rdp$done = T;
verify_rdp(c);
return;
}
# If the value rdp_interval has passed since the
# RDP session was started, then log the record.
local diff = network_time() - c$rdp$ts;
if ( diff > rdp_interval )
{
c$rdp$done = T;
verify_rdp(c);
# Remove the analyzer if it is still attached.
if ( remove_analyzer && disable_analyzer_after_detection && c$rdp?$analyzer_id )
{
disable_analyzer(c$id, c$rdp$analyzer_id);
delete c$rdp$analyzer_id;
}
return;
}
# If the analyzer is attached and the duration
# to monitor the RDP session was not met, then
# reschedule the logging event.
else
schedule +rdp_interval { log_record(c,remove_analyzer) };
}
function set_session(c: connection) function set_session(c: connection)
{ {
if ( ! c?$rdp ) if ( ! c?$rdp )
{ {
c$rdp = [$ts=network_time(),$id=c$id,$uid=c$uid]; c$rdp = [$ts=network_time(),$id=c$id,$uid=c$uid];
## Need to do this manually because the DPD framework does not seem to register the protocol (even though DPD is working) # The RDP session is scheduled to be logged from
## TODO: Find out why DPD framework isn't working # the time it is first initiated.
add c$service["rdp"]; schedule +rdp_interval { log_record(c,T) };
} }
} }
## Currently rdp_done and rdp_tracker mimic the SSH analyzer for disabling analysis, but there might be a better method
## Once the DPD framework bug is fixed, we could possibly use the same method as SSL analyzer
function rdp_done(c: connection, done: bool)
{
if ( done )
{
c$rdp$done = T;
Log::write(RDP::LOG, c$rdp);
skip_further_processing(c$id);
set_record_packets(c$id, F);
}
}
event rdp_tracker(c: connection)
{
if ( c$rdp$done )
return;
local id = c$id;
if ( ! connection_exists(id) )
{
rdp_done(c,T);
return;
}
lookup_connection(id);
if ( connection_exists(id) )
{
## If the RDP connection has been alive for more than 5secs, log it
## This duration should be sufficient to collect the data that needs to be logged
local diff = network_time() - c$rdp$ts;
if ( diff > 5secs )
{
rdp_done(c,T);
return;
}
}
## Schedule the event to run again if necessary
schedule +5secs { rdp_tracker(c) };
}
event connection_state_remove(c: connection) &priority=-5
{
## Log the RDP connection if the connection is removed but the session has not been marked as done
if ( c?$rdp && ! c$rdp$done )
rdp_done(c,T);
}
event rdp_client_request(c: connection, cookie: string) &priority=5 event rdp_client_request(c: connection, cookie: string) &priority=5
{
## Possibly better to avoid this clean up and use regex in binpac to extract the cookie value
if ( "Cookie" in clean(cookie) )
{ {
set_session(c); set_session(c);
local cookie_val = sub(cookie,/Cookie.*\=/,""); c$rdp$cookie = cookie;
c$rdp$cookie = sub(cookie_val,/\x0d\x0a.*$/,"");
## Schedule the rdp_tracker event so remaining data can be collected
schedule +5secs { rdp_tracker(c) };
}
} }
event rdp_client_data(c: connection, keyboard_layout: count, build: count, hostname: string, product_id: string) &priority=5 event rdp_client_data(c: connection, keyboard_layout: count, build: count, hostname: string, product_id: string) &priority=5
@ -135,10 +139,6 @@ event rdp_client_data(c: connection, keyboard_layout: count, build: count, hostn
c$rdp$client_build = builds[build]; c$rdp$client_build = builds[build];
c$rdp$client_hostname = gsub(cat(hostname),/\\0/,""); c$rdp$client_hostname = gsub(cat(hostname),/\\0/,"");
c$rdp$client_product_id = gsub(cat(product_id),/\\0/,""); c$rdp$client_product_id = gsub(cat(product_id),/\\0/,"");
## Schedule the rdp_tracker event so remaining data can be collected
## This is scheduled twice because the cookie in rdp_client_request may not exist
schedule +5secs { rdp_tracker(c) };
} }
event rdp_result(c: connection, result: count) &priority=5 event rdp_result(c: connection, result: count) &priority=5
@ -153,3 +153,26 @@ event rdp_server_security(c: connection, encryption_method: count, encryption_le
c$rdp$encryption_method = encryption_methods[encryption_method]; c$rdp$encryption_method = encryption_methods[encryption_method];
c$rdp$encryption_level = encryption_levels[encryption_level]; c$rdp$encryption_level = encryption_levels[encryption_level];
} }
event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5
{
if ( atype == Analyzer::ANALYZER_RDP )
{
set_session(c);
c$rdp$analyzer_id = aid;
}
}
event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=5
{
# If a protocol violation occurs, then log the record immediately.
if ( c?$rdp )
schedule +0secs { log_record(c,F) };
}
event connection_state_remove(c: connection) &priority=-5
{
# If the connection is removed, then log the record immediately.
if ( c?$rdp )
schedule +0secs { log_record(c,F) };
}