Merge branch 'rdp_client_security' of https://github.com/neslog/zeek

* 'rdp_client_security' of https://github.com/neslog/zeek:
  Adding comments specific to client security data in record definition.
  Cleaning up indentations and return true.
  Adding record to init-bare
  Adding client_security_data to the analyzer.

I added a unit test.

CHANGES

@@ -1,4 +1,8 @@
 
+2.6-384 | 2019-06-06 16:49:14 -0700
+
+  * Add new RDP event: rdp_client_security_data (Jeff Atkinson)
+
 2.6-379 | 2019-06-06 11:56:58 -0700
 
   * Improve sqlite logging unit tests (Jon Siwek, Corelight)

VERSION

@@ -1 +1 @@
-2.6-379
+2.6-384

doc

@@ -1 +1 @@
-Subproject commit 69a337c5c7958014566f138bfbce9ce95db47b3d
+Subproject commit 3d41a5efc16406fdd07267c3b6ee05a7530a9c44

scripts/base/init-bare.zeek

@@ -4276,6 +4276,22 @@ export {
 		dig_product_id:         string &optional;
 	};
 
+	## The TS_UD_CS_SEC data block contains security-related information used
+	## to advertise client cryptographic support.
+	type RDP::ClientSecurityData: record {
+		## Cryptographic encryption methods supported by the client and used in
+		## conjunction with Standard RDP Security.  Known flags:
+		##
+		## - 0x00000001: support for 40-bit session encryption keys
+		## - 0x00000002: support for 128-bit session encryption keys
+		## - 0x00000008: support for 56-bit session encryption keys
+		## - 0x00000010: support for FIPS compliant encryption and MAC methods
+		encryption_methods:	count;
+		## Only used in French locale and designates the encryption method.  If
+		## non-zero, then encryption_methods should be set to 0.
+		ext_encryption_methods:	count;
+	};
+
 	## Name and flags for a single channel requested by the client.
 	type RDP::ClientChannelDef: record {
 		## A unique name for the channel

src/analyzer/protocol/rdp/events.bif

@@ -26,6 +26,13 @@ event rdp_negotiation_failure%(c: connection, failure_code: count%);
 ## data: The data contained in the client core data structure.
 event rdp_client_core_data%(c: connection, data: RDP::ClientCoreData%);
 
+## Generated for client security data packets.
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## data: The data contained in the client security data structure.
+event rdp_client_security_data%(c: connection, data: RDP::ClientSecurityData%);
+
 ## Generated for Client Network Data (TS_UD_CS_NET) packets
 ##
 ## c: The connection record for the underlying transport-layer session/flow.

src/analyzer/protocol/rdp/rdp-analyzer.pac

@@ -101,6 +101,21 @@ refine flow RDP_Flow += {
 		return true;
 		%}
 
+	function proc_rdp_client_security_data(csec: Client_Security_Data): bool
+		%{
+		if ( ! rdp_client_security_data )
+			return false;
+
+		RecordVal* csd = new RecordVal(BifType::Record::RDP::ClientSecurityData);
+		csd->Assign(0, val_mgr->GetCount(${csec.encryption_methods}));
+		csd->Assign(1, val_mgr->GetCount(${csec.ext_encryption_methods}));
+
+		BifEvent::generate_rdp_client_security_data(connection()->bro_analyzer(),
+		                                            connection()->bro_analyzer()->Conn(),
+		                                            csd);
+		return true;
+		%}
+
 	function proc_rdp_client_network_data(cnetwork: Client_Network_Data): bool
 		%{
 		if ( ! rdp_client_network_data )
@@ -203,6 +218,10 @@ refine typeattr Client_Core_Data += &let {
 	proc: bool = $context.flow.proc_rdp_client_core_data(this);
 };
 
+refine typeattr Client_Security_Data += &let {
+        proc: bool = $context.flow.proc_rdp_client_security_data(this);
+};
+
 refine typeattr Client_Network_Data += &let {
 	proc: bool = $context.flow.proc_rdp_client_network_data(this);
 };

src/analyzer/protocol/rdp/rdp-protocol.pac

@@ -52,7 +52,7 @@ type Data_Block = record {
 	header: Data_Header;
 	block: case header.type of {
 		0xc001  -> client_core:       Client_Core_Data;
-		#0xc002  -> client_security:   Client_Security_Data;
+		0xc002  -> client_security:   Client_Security_Data;
 		0xc003  -> client_network:    Client_Network_Data;
 		#0xc004  -> client_cluster:    Client_Cluster_Data;
 		#0xc005  -> client_monitor:    Client_Monitor_Data;
@@ -220,6 +220,11 @@ type Client_Core_Data = record {
 	SUPPORT_HEARTBEAT_PDU:      bool = early_capability_flags & 0x0400;
 } &byteorder=littleendian;
 
+type Client_Security_Data = record {
+	encryption_methods:	uint32;
+	ext_encryption_methods:	uint32;
+} &byteorder=littleendian;
+
 type Client_Network_Data = record {
 	channel_count: uint32;
 	channel_def_array: Client_Channel_Def[channel_count];

src/analyzer/protocol/rdp/types.bif

@@ -4,5 +4,7 @@ module RDP;
 type EarlyCapabilityFlags: record;
 type ClientCoreData: record;
 
+type ClientSecurityData: record;
+
 type ClientChannelList: vector;
 type ClientChannelDef: record;

testing/btest/Baseline/scripts.base.protocols.rdp.rdp-client-security-data/out

@@ -0,0 +1,5 @@
+rdp_client_security_data, [encryption_methods=27, ext_encryption_methods=0]
+    40-bit flag, T
+   128-bit flag, T
+    56-bit flag, T
+      fips flag, T

testing/btest/scripts/base/protocols/rdp/rdp-client-security-data.zeek

@@ -0,0 +1,13 @@
+# @TEST-EXEC: zeek -r $TRACES/rdp/rdp-proprietary-encryption.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/rdp
+
+event rdp_client_security_data(c: connection, data: RDP::ClientSecurityData)
+	{
+	print "rdp_client_security_data", data;
+	print "    40-bit flag", data$encryption_methods & 0x00000001 != 0;
+	print "   128-bit flag", data$encryption_methods & 0x00000002 != 0;
+	print "    56-bit flag", data$encryption_methods & 0x00000008 != 0;
+	print "      fips flag", data$encryption_methods & 0x00000010 != 0;
+	}