Huge updates to the RDP analyzer from Josh Liburdi.

- More data pulled into scriptland. - Logs expanded with client screen resolution and desired color depth. - Values in UTF-16 on the wire are converted to UTF-8 before being sent to scriptland. - If the RDP turns into SSL records, we now pass data that appears to be SSL to the PIA analyzer. - If RDP uses native encryption with X.509 certs we pass those certs to the files framework and the base scripts pass them forward to the X.509 analyzer. - Lots of cleanup and adjustment to fit the documented protocol a bit better. - Cleaned up the DPD signatures. - Moved to flowunit instead of datagram. - Added tests.
2025-10-10 10:38:20 +00:00 · 2015-03-04 13:12:03 -05:00 · 2015-03-04 13:12:03 -05:00 · bbedb73a45
commit bbedb73a45
parent a63d7307c8
26 changed files with 1535 additions and 346 deletions
--- a/scripts/base/protocols/rdp/dpd.sig
+++ b/scripts/base/protocols/rdp/dpd.sig
@ -1,17 +1,12 @@
-signature dpd_rdp_client_request {
-  ip-proto == tcp
-  payload /.*Cookie: mstshash\=.*/	
-  enable "rdp"
+signature dpd_rdp_client {
+	ip-proto == tcp
+	# Client request
+	payload /.*(Cookie: mstshash\=|Duca.*(rdpdr|rdpsnd|drdynvc|cliprdr))/
+	requires-reverse-signature dpd_rdp_server
+	enable "rdp"
 }

-signature dpd_rdp_client_header {
-  ip-proto == tcp
-  payload /.*Duca.*(rdpdr|rdpsnd|drdynvc|cliprdr).*/
-  enable "rdp"
-}
-
-signature dpd_rdp_server_response {
-  ip-proto == tcp
-  payload /.*McDn.*/
-  enable "rdp"
+signature dpd_rdp_server {
+	ip-proto == tcp
+	payload /(.{5}\xd0|.*McDn)/
 }