mirror of
https://github.com/zeek/zeek.git
synced 2025-10-12 03:28:19 +00:00
Huge updates to the RDP analyzer from Josh Liburdi.
- More data pulled into scriptland.
- Logs expanded with client screen resolution and desired color depth.
- Values in UTF-16 on the wire are converted to UTF-8 before being
sent to scriptland.
- If the RDP turns into SSL records, we now pass data that appears
to be SSL to the PIA analyzer.
- If RDP uses native encryption with X.509 certs we pass those
certs to the files framework and the base scripts pass them forward
to the X.509 analyzer.
- Lots of cleanup and adjustment to fit the documented protocol
a bit better.
- Cleaned up the DPD signatures.
- Moved to flowunit instead of datagram.
- Added tests.
This commit is contained in:
Seth Hall
parent
a63d7307c8
commit
bbedb73a45
26 changed files with 1535 additions and 346 deletions
|
|
@ -5,6 +5,7 @@
|
|||
|
||||
|
||||
#include "analyzer/protocol/tcp/TCP.h"
|
||||
#include "analyzer/protocol/pia/PIA.h"
|
||||
|
||||
#include "rdp_pac.h"
|
||||
|
||||
|
|
@ -21,10 +22,7 @@ public:
|
|||
|
||||
virtual void DeliverStream(int len, const u_char* data, bool orig);
|
||||
virtual void Undelivered(uint64 seq, int len, bool orig);
|
||||
|
||||
// Overriden from tcp::TCP_ApplicationAnalyzer.
|
||||
virtual void EndpointEOF(bool is_orig);
|
||||
|
||||
|
||||
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
|
||||
{ return new RDP_Analyzer(conn); }
|
||||
|
|
@ -40,7 +38,7 @@ protected:
|
|||
binpac::RDP::RDP_Conn* interp;
|
||||
|
||||
bool had_gap;
|
||||
|
||||
pia::PIA_TCP *pia;
|
||||
};
|
||||
|
||||
} } // namespace analyzer::*
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue