Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 10:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Modified how cookie value is handled

Browse source
This commit is contained in:
Josh Liburdi 2015-02-15 22:45:16 -08:00
parent 0ef8a106df
commit b1614b7fe9
1 changed files with 41 additions and 40 deletions
Download patch file Download diff file Expand all files Collapse all files

81
src/analyzer/protocol/rdp/rdp-protocol.pac
View file

@ -2,7 +2,7 @@ type RDP_PDU(is_orig: bool) = record {
type: uint8; type: uint8;
switch: case type of { switch: case type of {
0x16 -> ssl_encryption: bytestring &restofdata &transient; # send to SSL analyzer in the future 0x16 -> ssl_encryption: bytestring &restofdata &transient; # send to SSL analyzer in the future
default -> native_encryption: NativeEncryption; # TPKT version default -> native_encryption: Native_Encryption; # TPKT version
}; };
} &byteorder=bigendian; } &byteorder=bigendian;
@ -10,7 +10,7 @@ type RDP_PDU(is_orig: bool) = record {
# Native Encryption # Native Encryption
###################################################################### ######################################################################
type NativeEncryption = record { type Native_Encryption = record {
tpkt_reserved: uint8; tpkt_reserved: uint8;
tpkt_length: uint16; tpkt_length: uint16;
cotp: COTP; cotp: COTP;
@ -20,24 +20,24 @@ type COTP = record {
length: uint8; length: uint8;
pdu: uint8; pdu: uint8;
switch: case pdu of { switch: case pdu of {
0xe0 -> cRequest: ClientRequest; 0xe0 -> cRequest: Client_Request;
0xf0 -> hdr: COTPHeader; 0xf0 -> hdr: COTP_Header;
default -> data: bytestring &restofdata &transient; default -> data: bytestring &restofdata &transient;
}; };
} &byteorder=littleendian; } &byteorder=littleendian;
type COTPHeader = record { type COTP_Header = record {
tpdu_number: uint8; tpdu_number: uint8;
application_defined_type: uint8; # this begins a BER encoded multiple octet variant, but can be safely skipped application_defined_type: uint8; # this begins a BER encoded multiple octet variant, but can be safely skipped
application_type: uint8; # this is value for the BER encoded octet variant above application_type: uint8; # this is value for the BER encoded octet variant above
switch: case application_type of { switch: case application_type of { # this seems to cause a binpac exception error
0x65 -> cHeader: ClientHeader; # 0x65 is a client 0x65 -> cHeader: Client_Header; # 0x65 is a client
0x66 -> sHeader: ServerHeader; # 0x66 is a server 0x66 -> sHeader: Server_Header; # 0x66 is a server
default -> data: bytestring &restofdata &transient; default -> data: bytestring &restofdata;
}; };
} &byteorder=littleendian; } &byteorder=littleendian;
type DataHdr = record { type Data_Header = record {
type: uint16; type: uint16;
length: uint16; length: uint16;
} &byteorder=littleendian; } &byteorder=littleendian;
@ -46,19 +46,20 @@ type DataHdr = record {
# Client X.224 # Client X.224
###################################################################### ######################################################################
type ClientRequest = record { type Client_Request = record {
destination_reference: uint16; destination_reference: uint16;
source_reference: uint16; source_reference: uint16;
flow_control: uint8; flow_control: uint8;
cookie: bytestring &restofdata; # cookie value is a variable length field, so everything is captured cookie_mstshash: RE/Cookie: mstshash\=/; # &check would be better here, but it is not implemented
cookie_value: RE/[^\x0d]*/; # the value is anything up to \x0d
}; };
###################################################################### ######################################################################
# Client MCS # Client MCS
###################################################################### ######################################################################
type ClientHeader = record { type Client_Header = record {
type_length: padding[3]; # BER encoded long variant, can be safely skipped for now type_length: uint8[3]; # BER encoded long variant, can be safely skipped for now
calling_domain_selector: ASN1OctetString; calling_domain_selector: ASN1OctetString;
called_domain_selector: ASN1OctetString; called_domain_selector: ASN1OctetString;
upward_flag: ASN1Boolean; upward_flag: ASN1Boolean;
@ -69,20 +70,20 @@ type ClientHeader = record {
maximum_parameters: ASN1SequenceMeta; maximum_parameters: ASN1SequenceMeta;
max_parameters_pad: padding[maximum_parameters.encoding.length]; max_parameters_pad: padding[maximum_parameters.encoding.length];
user_data_length: uint32; # BER encoded OctetString and long variant, can be safely skipped for now user_data_length: uint32; # BER encoded OctetString and long variant, can be safely skipped for now
gcc_connection_data: GCC_Client_ConnectionData; gcc_connection_data: GCC_Client_Connection_Data;
gcc_client_create_request: GCC_Client_CreateRequest; gcc_client_create_request: GCC_Client_Create_Request;
core_header: DataHdr; core_header: Data_Header;
core_data: ClientCore; core_data: Client_Core_Data;
remainder: bytestring &restofdata &transient; # everything after core_data can be discarded remainder: bytestring &restofdata &transient; # everything after core_data can be discarded
}; };
type GCC_Client_ConnectionData = record { type GCC_Client_Connection_Data = record {
key_object_length: uint16; key_object_length: uint16;
key_object: uint8[key_object_length]; key_object: uint8[key_object_length];
connect_data_connect_pdu: uint16; connect_data_connect_pdu: uint16;
} &byteorder=bigendian; } &byteorder=bigendian;
type GCC_Client_CreateRequest = record { type GCC_Client_Create_Request = record {
extension_bit: uint8; extension_bit: uint8;
privileges: uint8; privileges: uint8;
numeric_length: uint8; numeric_length: uint8;
@ -95,7 +96,7 @@ type GCC_Client_CreateRequest = record {
user_data_value_length: uint16; user_data_value_length: uint16;
}; };
type ClientCore = record { type Client_Core_Data = record {
version_major: uint16; version_major: uint16;
version_minor: uint16; version_minor: uint16;
desktop_width: uint16; desktop_width: uint16;
@ -122,30 +123,30 @@ type ClientCore = record {
# Server MCS # Server MCS
###################################################################### ######################################################################
type ServerHeader = record { type Server_Header = record {
type_length: padding[3]; # BER encoded long variant, can be safely skipped for now type_length: uint8[3]; # BER encoded long variant, can be safely skipped for now
connect_response_result: ASN1Enumerated; connect_response_result: ASN1Enumerated;
connect_response_called_id: ASN1Integer; connect_response_called_id: ASN1Integer;
connect_response_domain_parameters: ASN1SequenceMeta; connect_response_domain_parameters: ASN1SequenceMeta;
domain_parameters_pad: padding[connect_response_domain_parameters.encoding.length]; # skip this data domain_parameters_pad: padding[connect_response_domain_parameters.encoding.length]; # skip this data
user_data_length: uint32; # BER encoded OctetString and long variant, can be safely skipped for now user_data_length: uint32; # BER encoded OctetString and long variant, can be safely skipped for now
gcc_connection_data: GCC_Server_ConnectionData; gcc_connection_data: GCC_Server_Connection_Data;
gcc_create_response: GCC_Server_CreateResponse; gcc_create_response: GCC_Server_Create_Response;
core_header: DataHdr; core_header: Data_Header;
core_data: padding[core_header.length - 4]; # skip this data core_data: padding[core_header.length - 4]; # skip this data
network_header: DataHdr; network_header: Data_Header;
net_data: padding[network_header.length - 4]; # skip this data net_data: padding[network_header.length - 4]; # skip this data
security_header: DataHdr; security_header: Data_Header;
security_data: ServerSecurityData; security_data: Server_Security_Data;
}; };
type GCC_Server_ConnectionData = record { type GCC_Server_Connection_Data = record {
key_object_length: uint16; key_object_length: uint16;
key_object: uint8[key_object_length]; key_object: uint8[key_object_length];
connect_data_connect_pdu: uint8; connect_data_connect_pdu: uint8;
} &byteorder=bigendian; } &byteorder=bigendian;
type GCC_Server_CreateResponse = record { type GCC_Server_Create_Response = record {
extension_bit: uint8; extension_bit: uint8;
node_id: uint8[2]; node_id: uint8[2];
tag_length: uint8; tag_length: uint8;
@ -158,47 +159,47 @@ type GCC_Server_CreateResponse = record {
user_data_value_length: uint16; user_data_value_length: uint16;
}; };
type ServerCoreData = record { type Server_Core_Data = record {
version_major: uint16; version_major: uint16;
version_minor: uint16; version_minor: uint16;
client_requested_protocols: uint32; client_requested_protocols: uint32;
}; };
type ServerNetworkData = record { type Server_Network_Data = record {
mcs_channel_id: uint16; mcs_channel_id: uint16;
channel_count: uint16; channel_count: uint16;
}; };
type ServerSecurityData = record { type Server_Security_Data = record {
encryption_method: uint32; encryption_method: uint32;
encryption_level: uint32; encryption_level: uint32;
server_random_length: uint32 &byteorder=littleendian; server_random_length: uint32 &byteorder=littleendian;
server_cert_length: uint32 &byteorder=littleendian; server_cert_length: uint32 &byteorder=littleendian;
server_random: bytestring &length=server_random_length; server_random: bytestring &length=server_random_length;
server_certificate: ServerCertificate; server_certificate: Server_Certificate;
}; };
type ServerCertificate = record { type Server_Certificate = record {
cert_type: uint8; cert_type: uint8;
switch: case cert_type of { switch: case cert_type of {
0x01 -> proprietary: ServerProprietary; 0x01 -> proprietary: Server_Proprietary;
0x02 -> ssl: SSL; 0x02 -> ssl: SSL;
}; };
} &byteorder=littleendian; } &byteorder=littleendian;
type ServerProprietary = record { type Server_Proprietary = record {
cert_type: uint8[3]; # remainder of cert_type value cert_type: uint8[3]; # remainder of cert_type value
signature_algorithm: uint32; signature_algorithm: uint32;
key_algorithm: uint32; key_algorithm: uint32;
public_key_blob_type: uint16; public_key_blob_type: uint16;
public_key_blob_length: uint16; public_key_blob_length: uint16;
public_key_blob: PublicKeyBlob &length=public_key_blob_length; public_key_blob: Public_Key_Blob &length=public_key_blob_length;
signature_blob_type: uint16; signature_blob_type: uint16;
signature_blob_length: uint16; signature_blob_length: uint16;
signature_blob: bytestring &length=signature_blob_length; signature_blob: bytestring &length=signature_blob_length;
}; };
type PublicKeyBlob = record { type Public_Key_Blob = record {
magic: bytestring &length=4; magic: bytestring &length=4;
key_length: uint32; key_length: uint32;
bit_length: uint32; bit_length: uint32;