From a3ab9f5b09517d469383419f150896aa0fb29834 Mon Sep 17 00:00:00 2001 From: Josh Liburdi Date: Sun, 15 Feb 2015 10:18:52 -0800 Subject: [PATCH] Added comments and TODOs --- scripts/base/protocols/rdp/main.bro | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/scripts/base/protocols/rdp/main.bro b/scripts/base/protocols/rdp/main.bro index a1026208de..718fb3fe87 100644 --- a/scripts/base/protocols/rdp/main.bro +++ b/scripts/base/protocols/rdp/main.bro @@ -62,6 +62,8 @@ function set_session(c: connection) } } +## Currently rdp_done and rdp_tracker mimic the SSH analyzer for disabling analysis, but there might be a better method +## Once the DPD framework bug is fixed, we could possibly use the same method as SSL analyzer function rdp_done(c: connection, done: bool) { if ( done ) @@ -91,8 +93,8 @@ event rdp_tracker(c: connection) if ( connection_exists(id) ) { - # If the RDP connection has been alive for more than 5secs, log it - # This duration should be sufficient to collect the data that needs to be logged + ## If the RDP connection has been alive for more than 5secs, log it + ## This duration should be sufficient to collect the data that needs to be logged local diff = network_time() - c$rdp$ts; if ( diff > 5secs ) { @@ -101,13 +103,13 @@ event rdp_tracker(c: connection) } } - # Schedule the event to run again if necessary + ## Schedule the event to run again if necessary schedule +5secs { rdp_tracker(c) }; } event connection_state_remove(c: connection) &priority=-5 { - # Log the RDP connection if the connection is removed but the session has not been marked as done + ## Log the RDP connection if the connection is removed but the session has not been marked as done if ( c?$rdp && ! c$rdp$done ) rdp_done(c,T); }