Adding client_security_data to the analyzer.

src/analyzer/protocol/rdp/events.bif

@@ -26,6 +26,13 @@ event rdp_negotiation_failure%(c: connection, failure_code: count%);
 ## data: The data contained in the client core data structure.
 event rdp_client_core_data%(c: connection, data: RDP::ClientCoreData%);
 
+## Generated for client security data packets.
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## data: The data contained in the client security data structure.
+event rdp_client_security_data%(c: connection, data: RDP::ClientSecurityData%);
+
 ## Generated for Client Network Data (TS_UD_CS_NET) packets
 ##
 ## c: The connection record for the underlying transport-layer session/flow.

src/analyzer/protocol/rdp/rdp-analyzer.pac

@@ -101,6 +101,20 @@ refine flow RDP_Flow += {
 		return true;
 		%}
 
+	function proc_rdp_client_security_data(csec: Client_Security_Data): bool
+		%{
+		if ( ! rdp_client_security_data )
+                        return false;
+	 
+			RecordVal* csd = new RecordVal(BifType::Record::RDP::ClientSecurityData);
+			csd->Assign(0, val_mgr->GetCount(${csec.encryption_methods}));
+			csd->Assign(1, val_mgr->GetCount(${csec.ext_encryption_methods}));
+    
+			BifEvent::generate_rdp_client_security_data(connection()->bro_analyzer(),
+								    connection()->bro_analyzer()->Conn(),
+								    csd);
+		%}
+
 	function proc_rdp_client_network_data(cnetwork: Client_Network_Data): bool
 		%{
 		if ( ! rdp_client_network_data )
@@ -203,6 +217,10 @@ refine typeattr Client_Core_Data += &let {
 	proc: bool = $context.flow.proc_rdp_client_core_data(this);
 };
 
+refine typeattr Client_Security_Data += &let {
+        proc: bool = $context.flow.proc_rdp_client_security_data(this);
+};
+
 refine typeattr Client_Network_Data += &let {
 	proc: bool = $context.flow.proc_rdp_client_network_data(this);
 };

src/analyzer/protocol/rdp/rdp-protocol.pac

@@ -52,7 +52,7 @@ type Data_Block = record {
 	header: Data_Header;
 	block: case header.type of {
 		0xc001  -> client_core:       Client_Core_Data;
-		#0xc002  -> client_security:   Client_Security_Data;
+		0xc002  -> client_security:   Client_Security_Data;
 		0xc003  -> client_network:    Client_Network_Data;
 		#0xc004  -> client_cluster:    Client_Cluster_Data;
 		#0xc005  -> client_monitor:    Client_Monitor_Data;
@@ -220,6 +220,11 @@ type Client_Core_Data = record {
 	SUPPORT_HEARTBEAT_PDU:      bool = early_capability_flags & 0x0400;
 } &byteorder=littleendian;
 
+type Client_Security_Data = record {
+	encryption_methods:	uint16;
+	ext_encryption_methods:	uint16;
+} &byteorder=littleendian;
+
 type Client_Network_Data = record {
 	channel_count: uint32;
 	channel_def_array: Client_Channel_Def[channel_count];

src/analyzer/protocol/rdp/types.bif

@@ -4,5 +4,8 @@ module RDP;
 type EarlyCapabilityFlags: record;
 type ClientCoreData: record;
 
+# JSA
+type ClientSecurityData: record;
+
 type ClientChannelList: vector;
 type ClientChannelDef: record;