From b6746bc9e04d16d32441a96944d3088f299d8e8d Mon Sep 17 00:00:00 2001 From: jatkinosn Date: Thu, 6 Jun 2019 09:49:24 -0400 Subject: [PATCH] Adding client_security_data to the analyzer. --- src/analyzer/protocol/rdp/events.bif | 7 +++++++ src/analyzer/protocol/rdp/rdp-analyzer.pac | 18 ++++++++++++++++++ src/analyzer/protocol/rdp/rdp-protocol.pac | 7 ++++++- src/analyzer/protocol/rdp/types.bif | 5 ++++- 4 files changed, 35 insertions(+), 2 deletions(-) diff --git a/src/analyzer/protocol/rdp/events.bif b/src/analyzer/protocol/rdp/events.bif index 463e3b8d07..efb360cd6f 100644 --- a/src/analyzer/protocol/rdp/events.bif +++ b/src/analyzer/protocol/rdp/events.bif @@ -26,6 +26,13 @@ event rdp_negotiation_failure%(c: connection, failure_code: count%); ## data: The data contained in the client core data structure. event rdp_client_core_data%(c: connection, data: RDP::ClientCoreData%); +## Generated for client security data packets. +## +## c: The connection record for the underlying transport-layer session/flow. +## +## data: The data contained in the client security data structure. +event rdp_client_security_data%(c: connection, data: RDP::ClientSecurityData%); + ## Generated for Client Network Data (TS_UD_CS_NET) packets ## ## c: The connection record for the underlying transport-layer session/flow. diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac index cf673e81b2..49398ec0a8 100644 --- a/src/analyzer/protocol/rdp/rdp-analyzer.pac +++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac @@ -101,6 +101,20 @@ refine flow RDP_Flow += { return true; %} + function proc_rdp_client_security_data(csec: Client_Security_Data): bool + %{ + if ( ! rdp_client_security_data ) + return false; + + RecordVal* csd = new RecordVal(BifType::Record::RDP::ClientSecurityData); + csd->Assign(0, val_mgr->GetCount(${csec.encryption_methods})); + csd->Assign(1, val_mgr->GetCount(${csec.ext_encryption_methods})); + + BifEvent::generate_rdp_client_security_data(connection()->bro_analyzer(), + connection()->bro_analyzer()->Conn(), + csd); + %} + function proc_rdp_client_network_data(cnetwork: Client_Network_Data): bool %{ if ( ! rdp_client_network_data ) @@ -203,6 +217,10 @@ refine typeattr Client_Core_Data += &let { proc: bool = $context.flow.proc_rdp_client_core_data(this); }; +refine typeattr Client_Security_Data += &let { + proc: bool = $context.flow.proc_rdp_client_security_data(this); +}; + refine typeattr Client_Network_Data += &let { proc: bool = $context.flow.proc_rdp_client_network_data(this); }; diff --git a/src/analyzer/protocol/rdp/rdp-protocol.pac b/src/analyzer/protocol/rdp/rdp-protocol.pac index 46202f379e..930403d68b 100644 --- a/src/analyzer/protocol/rdp/rdp-protocol.pac +++ b/src/analyzer/protocol/rdp/rdp-protocol.pac @@ -52,7 +52,7 @@ type Data_Block = record { header: Data_Header; block: case header.type of { 0xc001 -> client_core: Client_Core_Data; - #0xc002 -> client_security: Client_Security_Data; + 0xc002 -> client_security: Client_Security_Data; 0xc003 -> client_network: Client_Network_Data; #0xc004 -> client_cluster: Client_Cluster_Data; #0xc005 -> client_monitor: Client_Monitor_Data; @@ -220,6 +220,11 @@ type Client_Core_Data = record { SUPPORT_HEARTBEAT_PDU: bool = early_capability_flags & 0x0400; } &byteorder=littleendian; +type Client_Security_Data = record { + encryption_methods: uint16; + ext_encryption_methods: uint16; +} &byteorder=littleendian; + type Client_Network_Data = record { channel_count: uint32; channel_def_array: Client_Channel_Def[channel_count]; diff --git a/src/analyzer/protocol/rdp/types.bif b/src/analyzer/protocol/rdp/types.bif index d5a7f930a9..ff64d75744 100644 --- a/src/analyzer/protocol/rdp/types.bif +++ b/src/analyzer/protocol/rdp/types.bif @@ -4,5 +4,8 @@ module RDP; type EarlyCapabilityFlags: record; type ClientCoreData: record; +# JSA +type ClientSecurityData: record; + type ClientChannelList: vector; -type ClientChannelDef: record; \ No newline at end of file +type ClientChannelDef: record;