mirror of
https://github.com/zeek/zeek.git
synced 2025-10-10 02:28:21 +00:00
Modified how cookie value is handled
This commit is contained in:
Josh Liburdi
parent
0ef8a106df
commit
b1614b7fe9
1 changed files with 41 additions and 40 deletions
|
|
@ -2,7 +2,7 @@ type RDP_PDU(is_orig: bool) = record {
|
||||||
type: uint8;
|
type: uint8;
|
||||||
switch: case type of {
|
switch: case type of {
|
||||||
0x16 -> ssl_encryption: bytestring &restofdata &transient; # send to SSL analyzer in the future
|
0x16 -> ssl_encryption: bytestring &restofdata &transient; # send to SSL analyzer in the future
|
||||||
default -> native_encryption: NativeEncryption; # TPKT version
|
default -> native_encryption: Native_Encryption; # TPKT version
|
||||||
};
|
};
|
||||||
} &byteorder=bigendian;
|
} &byteorder=bigendian;
|
||||||
|
|
||||||
|
|
@ -10,7 +10,7 @@ type RDP_PDU(is_orig: bool) = record {
|
||||||
# Native Encryption
|
# Native Encryption
|
||||||
######################################################################
|
######################################################################
|
||||||
|
|
||||||
type NativeEncryption = record {
|
type Native_Encryption = record {
|
||||||
tpkt_reserved: uint8;
|
tpkt_reserved: uint8;
|
||||||
tpkt_length: uint16;
|
tpkt_length: uint16;
|
||||||
cotp: COTP;
|
cotp: COTP;
|
||||||
|
|
@ -20,24 +20,24 @@ type COTP = record {
|
||||||
length: uint8;
|
length: uint8;
|
||||||
pdu: uint8;
|
pdu: uint8;
|
||||||
switch: case pdu of {
|
switch: case pdu of {
|
||||||
0xe0 -> cRequest: ClientRequest;
|
0xe0 -> cRequest: Client_Request;
|
||||||
0xf0 -> hdr: COTPHeader;
|
0xf0 -> hdr: COTP_Header;
|
||||||
default -> data: bytestring &restofdata &transient;
|
default -> data: bytestring &restofdata &transient;
|
||||||
};
|
};
|
||||||
} &byteorder=littleendian;
|
} &byteorder=littleendian;
|
||||||
|
|
||||||
type COTPHeader = record {
|
type COTP_Header = record {
|
||||||
tpdu_number: uint8;
|
tpdu_number: uint8;
|
||||||
application_defined_type: uint8; # this begins a BER encoded multiple octet variant, but can be safely skipped
|
application_defined_type: uint8; # this begins a BER encoded multiple octet variant, but can be safely skipped
|
||||||
application_type: uint8; # this is value for the BER encoded octet variant above
|
application_type: uint8; # this is value for the BER encoded octet variant above
|
||||||
switch: case application_type of {
|
switch: case application_type of { # this seems to cause a binpac exception error
|
||||||
0x65 -> cHeader: ClientHeader; # 0x65 is a client
|
0x65 -> cHeader: Client_Header; # 0x65 is a client
|
||||||
0x66 -> sHeader: ServerHeader; # 0x66 is a server
|
0x66 -> sHeader: Server_Header; # 0x66 is a server
|
||||||
default -> data: bytestring &restofdata &transient;
|
default -> data: bytestring &restofdata;
|
||||||
};
|
};
|
||||||
} &byteorder=littleendian;
|
} &byteorder=littleendian;
|
||||||
|
|
||||||
type DataHdr = record {
|
type Data_Header = record {
|
||||||
type: uint16;
|
type: uint16;
|
||||||
length: uint16;
|
length: uint16;
|
||||||
} &byteorder=littleendian;
|
} &byteorder=littleendian;
|
||||||
|
|
@ -46,19 +46,20 @@ type DataHdr = record {
|
||||||
# Client X.224
|
# Client X.224
|
||||||
######################################################################
|
######################################################################
|
||||||
|
|
||||||
type ClientRequest = record {
|
type Client_Request = record {
|
||||||
destination_reference: uint16;
|
destination_reference: uint16;
|
||||||
source_reference: uint16;
|
source_reference: uint16;
|
||||||
flow_control: uint8;
|
flow_control: uint8;
|
||||||
cookie: bytestring &restofdata; # cookie value is a variable length field, so everything is captured
|
cookie_mstshash: RE/Cookie: mstshash\=/; # &check would be better here, but it is not implemented
|
||||||
|
cookie_value: RE/[^\x0d]*/; # the value is anything up to \x0d
|
||||||
};
|
};
|
||||||
|
|
||||||
######################################################################
|
######################################################################
|
||||||
# Client MCS
|
# Client MCS
|
||||||
######################################################################
|
######################################################################
|
||||||
|
|
||||||
type ClientHeader = record {
|
type Client_Header = record {
|
||||||
type_length: padding[3]; # BER encoded long variant, can be safely skipped for now
|
type_length: uint8[3]; # BER encoded long variant, can be safely skipped for now
|
||||||
calling_domain_selector: ASN1OctetString;
|
calling_domain_selector: ASN1OctetString;
|
||||||
called_domain_selector: ASN1OctetString;
|
called_domain_selector: ASN1OctetString;
|
||||||
upward_flag: ASN1Boolean;
|
upward_flag: ASN1Boolean;
|
||||||
|
|
@ -69,20 +70,20 @@ type ClientHeader = record {
|
||||||
maximum_parameters: ASN1SequenceMeta;
|
maximum_parameters: ASN1SequenceMeta;
|
||||||
max_parameters_pad: padding[maximum_parameters.encoding.length];
|
max_parameters_pad: padding[maximum_parameters.encoding.length];
|
||||||
user_data_length: uint32; # BER encoded OctetString and long variant, can be safely skipped for now
|
user_data_length: uint32; # BER encoded OctetString and long variant, can be safely skipped for now
|
||||||
gcc_connection_data: GCC_Client_ConnectionData;
|
gcc_connection_data: GCC_Client_Connection_Data;
|
||||||
gcc_client_create_request: GCC_Client_CreateRequest;
|
gcc_client_create_request: GCC_Client_Create_Request;
|
||||||
core_header: DataHdr;
|
core_header: Data_Header;
|
||||||
core_data: ClientCore;
|
core_data: Client_Core_Data;
|
||||||
remainder: bytestring &restofdata &transient; # everything after core_data can be discarded
|
remainder: bytestring &restofdata &transient; # everything after core_data can be discarded
|
||||||
};
|
};
|
||||||
|
|
||||||
type GCC_Client_ConnectionData = record {
|
type GCC_Client_Connection_Data = record {
|
||||||
key_object_length: uint16;
|
key_object_length: uint16;
|
||||||
key_object: uint8[key_object_length];
|
key_object: uint8[key_object_length];
|
||||||
connect_data_connect_pdu: uint16;
|
connect_data_connect_pdu: uint16;
|
||||||
} &byteorder=bigendian;
|
} &byteorder=bigendian;
|
||||||
|
|
||||||
type GCC_Client_CreateRequest = record {
|
type GCC_Client_Create_Request = record {
|
||||||
extension_bit: uint8;
|
extension_bit: uint8;
|
||||||
privileges: uint8;
|
privileges: uint8;
|
||||||
numeric_length: uint8;
|
numeric_length: uint8;
|
||||||
|
|
@ -95,7 +96,7 @@ type GCC_Client_CreateRequest = record {
|
||||||
user_data_value_length: uint16;
|
user_data_value_length: uint16;
|
||||||
};
|
};
|
||||||
|
|
||||||
type ClientCore = record {
|
type Client_Core_Data = record {
|
||||||
version_major: uint16;
|
version_major: uint16;
|
||||||
version_minor: uint16;
|
version_minor: uint16;
|
||||||
desktop_width: uint16;
|
desktop_width: uint16;
|
||||||
|
|
@ -122,30 +123,30 @@ type ClientCore = record {
|
||||||
# Server MCS
|
# Server MCS
|
||||||
######################################################################
|
######################################################################
|
||||||
|
|
||||||
type ServerHeader = record {
|
type Server_Header = record {
|
||||||
type_length: padding[3]; # BER encoded long variant, can be safely skipped for now
|
type_length: uint8[3]; # BER encoded long variant, can be safely skipped for now
|
||||||
connect_response_result: ASN1Enumerated;
|
connect_response_result: ASN1Enumerated;
|
||||||
connect_response_called_id: ASN1Integer;
|
connect_response_called_id: ASN1Integer;
|
||||||
connect_response_domain_parameters: ASN1SequenceMeta;
|
connect_response_domain_parameters: ASN1SequenceMeta;
|
||||||
domain_parameters_pad: padding[connect_response_domain_parameters.encoding.length]; # skip this data
|
domain_parameters_pad: padding[connect_response_domain_parameters.encoding.length]; # skip this data
|
||||||
user_data_length: uint32; # BER encoded OctetString and long variant, can be safely skipped for now
|
user_data_length: uint32; # BER encoded OctetString and long variant, can be safely skipped for now
|
||||||
gcc_connection_data: GCC_Server_ConnectionData;
|
gcc_connection_data: GCC_Server_Connection_Data;
|
||||||
gcc_create_response: GCC_Server_CreateResponse;
|
gcc_create_response: GCC_Server_Create_Response;
|
||||||
core_header: DataHdr;
|
core_header: Data_Header;
|
||||||
core_data: padding[core_header.length - 4]; # skip this data
|
core_data: padding[core_header.length - 4]; # skip this data
|
||||||
network_header: DataHdr;
|
network_header: Data_Header;
|
||||||
net_data: padding[network_header.length - 4]; # skip this data
|
net_data: padding[network_header.length - 4]; # skip this data
|
||||||
security_header: DataHdr;
|
security_header: Data_Header;
|
||||||
security_data: ServerSecurityData;
|
security_data: Server_Security_Data;
|
||||||
};
|
};
|
||||||
|
|
||||||
type GCC_Server_ConnectionData = record {
|
type GCC_Server_Connection_Data = record {
|
||||||
key_object_length: uint16;
|
key_object_length: uint16;
|
||||||
key_object: uint8[key_object_length];
|
key_object: uint8[key_object_length];
|
||||||
connect_data_connect_pdu: uint8;
|
connect_data_connect_pdu: uint8;
|
||||||
} &byteorder=bigendian;
|
} &byteorder=bigendian;
|
||||||
|
|
||||||
type GCC_Server_CreateResponse = record {
|
type GCC_Server_Create_Response = record {
|
||||||
extension_bit: uint8;
|
extension_bit: uint8;
|
||||||
node_id: uint8[2];
|
node_id: uint8[2];
|
||||||
tag_length: uint8;
|
tag_length: uint8;
|
||||||
|
|
@ -158,47 +159,47 @@ type GCC_Server_CreateResponse = record {
|
||||||
user_data_value_length: uint16;
|
user_data_value_length: uint16;
|
||||||
};
|
};
|
||||||
|
|
||||||
type ServerCoreData = record {
|
type Server_Core_Data = record {
|
||||||
version_major: uint16;
|
version_major: uint16;
|
||||||
version_minor: uint16;
|
version_minor: uint16;
|
||||||
client_requested_protocols: uint32;
|
client_requested_protocols: uint32;
|
||||||
};
|
};
|
||||||
|
|
||||||
type ServerNetworkData = record {
|
type Server_Network_Data = record {
|
||||||
mcs_channel_id: uint16;
|
mcs_channel_id: uint16;
|
||||||
channel_count: uint16;
|
channel_count: uint16;
|
||||||
};
|
};
|
||||||
|
|
||||||
type ServerSecurityData = record {
|
type Server_Security_Data = record {
|
||||||
encryption_method: uint32;
|
encryption_method: uint32;
|
||||||
encryption_level: uint32;
|
encryption_level: uint32;
|
||||||
server_random_length: uint32 &byteorder=littleendian;
|
server_random_length: uint32 &byteorder=littleendian;
|
||||||
server_cert_length: uint32 &byteorder=littleendian;
|
server_cert_length: uint32 &byteorder=littleendian;
|
||||||
server_random: bytestring &length=server_random_length;
|
server_random: bytestring &length=server_random_length;
|
||||||
server_certificate: ServerCertificate;
|
server_certificate: Server_Certificate;
|
||||||
};
|
};
|
||||||
|
|
||||||
type ServerCertificate = record {
|
type Server_Certificate = record {
|
||||||
cert_type: uint8;
|
cert_type: uint8;
|
||||||
switch: case cert_type of {
|
switch: case cert_type of {
|
||||||
0x01 -> proprietary: ServerProprietary;
|
0x01 -> proprietary: Server_Proprietary;
|
||||||
0x02 -> ssl: SSL;
|
0x02 -> ssl: SSL;
|
||||||
};
|
};
|
||||||
} &byteorder=littleendian;
|
} &byteorder=littleendian;
|
||||||
|
|
||||||
type ServerProprietary = record {
|
type Server_Proprietary = record {
|
||||||
cert_type: uint8[3]; # remainder of cert_type value
|
cert_type: uint8[3]; # remainder of cert_type value
|
||||||
signature_algorithm: uint32;
|
signature_algorithm: uint32;
|
||||||
key_algorithm: uint32;
|
key_algorithm: uint32;
|
||||||
public_key_blob_type: uint16;
|
public_key_blob_type: uint16;
|
||||||
public_key_blob_length: uint16;
|
public_key_blob_length: uint16;
|
||||||
public_key_blob: PublicKeyBlob &length=public_key_blob_length;
|
public_key_blob: Public_Key_Blob &length=public_key_blob_length;
|
||||||
signature_blob_type: uint16;
|
signature_blob_type: uint16;
|
||||||
signature_blob_length: uint16;
|
signature_blob_length: uint16;
|
||||||
signature_blob: bytestring &length=signature_blob_length;
|
signature_blob: bytestring &length=signature_blob_length;
|
||||||
};
|
};
|
||||||
|
|
||||||
type PublicKeyBlob = record {
|
type Public_Key_Blob = record {
|
||||||
magic: bytestring &length=4;
|
magic: bytestring &length=4;
|
||||||
key_length: uint32;
|
key_length: uint32;
|
||||||
bit_length: uint32;
|
bit_length: uint32;
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue