From 028294183868d53c9aebe649469eb988855b0481 Mon Sep 17 00:00:00 2001 From: jatkinosn Date: Wed, 19 Jun 2019 15:12:56 -0400 Subject: [PATCH 1/4] Adding options field to RDP::ClientChannelDef Adding Client Cluster Data --- scripts/base/init-bare.zeek | 9 +++- src/analyzer/protocol/rdp/events.bif | 7 +++ src/analyzer/protocol/rdp/rdp-analyzer.pac | 50 +++++++++++++++++----- src/analyzer/protocol/rdp/rdp-protocol.pac | 12 +++++- src/analyzer/protocol/rdp/types.bif | 1 + 5 files changed, 66 insertions(+), 13 deletions(-) diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index f68bf3a545..6ed290fb2c 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -4278,7 +4278,9 @@ export { ## Name and flags for a single channel requested by the client. type RDP::ClientChannelDef: record { ## A unique name for the channel - name: string; + name: string; + ## Channel Def raw options as count + options: int; ## Absence of this flag indicates that this channel is ## a placeholder and that the server MUST NOT set it up. initialized: bool; @@ -4304,6 +4306,11 @@ export { persistent: bool; }; + type RDP::ClientClusterData: record { + flags: int; + redir_session_id: int; + }; + ## The list of channels requested by the client. type RDP::ClientChannelList: vector of ClientChannelDef; } diff --git a/src/analyzer/protocol/rdp/events.bif b/src/analyzer/protocol/rdp/events.bif index 0931365dc6..91d2fc004a 100644 --- a/src/analyzer/protocol/rdp/events.bif +++ b/src/analyzer/protocol/rdp/events.bif @@ -49,6 +49,13 @@ event rdp_client_security_data%(c: connection, data: RDP::ClientSecurityData%); ## channels: The channels that were requested event rdp_client_network_data%(c: connection, channels: RDP::ClientChannelList%); +## Generated for client clusgter data packets. +## +## c: The connection record for the underlying transport-layer session/flow. +## +## data: The data contained in the client security data structure. +event rdp_client_cluster_data%(c: connection, data: RDP::ClientClusterData%); + ## Generated for MCS server responses. ## ## c: The connection record for the underlying transport-layer session/flow. diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac index 7b7552642f..d52c1153c5 100644 --- a/src/analyzer/protocol/rdp/rdp-analyzer.pac +++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac @@ -130,18 +130,19 @@ refine flow RDP_Flow += { RecordVal* channel_def = new RecordVal(BifType::Record::RDP::ClientChannelDef); channel_def->Assign(0, bytestring_to_val(${cnetwork.channel_def_array[i].name})); + channel_def->Assign(1, val_mgr->GetCount(${cnetwork.channel_def_array[i].options})); - channel_def->Assign(1, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_INITIALIZED})); - channel_def->Assign(2, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_RDP})); - channel_def->Assign(3, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_SC})); - channel_def->Assign(4, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_CS})); - channel_def->Assign(5, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_HIGH})); - channel_def->Assign(6, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_MED})); - channel_def->Assign(7, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_LOW})); - channel_def->Assign(8, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS_RDP})); - channel_def->Assign(9, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS})); - channel_def->Assign(10, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_SHOW_PROTOCOL})); - channel_def->Assign(11, val_mgr->GetBool(${cnetwork.channel_def_array[i].REMOTE_CONTROL_PERSISTENT})); + channel_def->Assign(2, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_INITIALIZED})); + channel_def->Assign(3, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_RDP})); + channel_def->Assign(4, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_SC})); + channel_def->Assign(5, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_CS})); + channel_def->Assign(6, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_HIGH})); + channel_def->Assign(7, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_MED})); + channel_def->Assign(8, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_LOW})); + channel_def->Assign(9, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS_RDP})); + channel_def->Assign(10, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS})); + channel_def->Assign(11, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_SHOW_PROTOCOL})); + channel_def->Assign(12, val_mgr->GetBool(${cnetwork.channel_def_array[i].REMOTE_CONTROL_PERSISTENT})); channels->Assign(channels->Size(), channel_def); } @@ -154,6 +155,29 @@ refine flow RDP_Flow += { return true; %} + + function proc_rdp_client_cluster_data(ccluster: Client_Cluster_Data): bool + %{ + if ( ! rdp_client_cluster_data ) + return false; + + RecordVal* ccld = new RecordVal(BifType::Record::RDP::ClientClusterData); + ccld->Assign(0, val_mgr->GetCount(${ccluster.flags})); + ccld->Assign(1, val_mgr->GetCount(${ccluster.redir_session_id})); + + ccld->Assign(2, val_mgr->GetBool(${ccluster.REDIRECTION_SUPPORTED})); + ccld->Assign(3, val_mgr->GetCount(${ccluster.SERVER_SESSION_REDIRECTION_VERSION_MASK})); + ccld->Assign(4, val_mgr->GetCount(${ccluster.REDIRECTED_SESSIONID_FIELD_VALID})); + ccld->Assign(5, val_mgr->GetBool(${ccluster.REDIRECTED_SMARTCARD})); + + BifEvent::generate_rdp_client_cluster_data(connection()->bro_analyzer(), + connection()->bro_analyzer()->Conn(), + ccld); + return true; + %} + + + function proc_rdp_server_security(ssd: Server_Security_Data): bool %{ connection()->bro_analyzer()->ProtocolConfirmation(); @@ -226,6 +250,10 @@ refine typeattr Client_Network_Data += &let { proc: bool = $context.flow.proc_rdp_client_network_data(this); }; +refine typeattr Client_Cluster_Data += &let { + proc: bool = $context.flow.proc_rdp_client_cluster_data(this); +}; + refine typeattr GCC_Server_Create_Response += &let { proc: bool = $context.flow.proc_rdp_gcc_server_create_response(this); }; diff --git a/src/analyzer/protocol/rdp/rdp-protocol.pac b/src/analyzer/protocol/rdp/rdp-protocol.pac index 442a0d1292..f10dcf0af4 100644 --- a/src/analyzer/protocol/rdp/rdp-protocol.pac +++ b/src/analyzer/protocol/rdp/rdp-protocol.pac @@ -54,7 +54,7 @@ type Data_Block = record { 0xc001 -> client_core: Client_Core_Data; 0xc002 -> client_security: Client_Security_Data; 0xc003 -> client_network: Client_Network_Data; - #0xc004 -> client_cluster: Client_Cluster_Data; + 0xc004 -> client_cluster: Client_Cluster_Data; #0xc005 -> client_monitor: Client_Monitor_Data; #0xc006 -> client_msgchannel: Client_MsgChannel_Data; #0xc008 -> client_monitor_ex: Client_MonitorExtended_Data; @@ -230,6 +230,16 @@ type Client_Network_Data = record { channel_def_array: Client_Channel_Def[channel_count]; } &byteorder=littleendian; +type Client_Cluster_Data = record { + flags: uint32; + redir_session_id: uint32; +} &let { + REDIRECTION_SUPPORTED: bool = redir_session_id & 0x00000001; + SERVER_SESSION_REDIRECTION_VERSION_MASK: int = (redir_session_id & 0x0000003C); + REDIRECTED_SESSIONID_FIELD_VALID: int = (redir_session_id & 0x00000002); + REDIRECTED_SMARTCARD: bool = redir_session_id & 0x00000040; +} &byteorder=littleendian; + type Client_Channel_Def = record { name: bytestring &length=8; options: uint32; diff --git a/src/analyzer/protocol/rdp/types.bif b/src/analyzer/protocol/rdp/types.bif index 69cbe14dd3..366676d017 100644 --- a/src/analyzer/protocol/rdp/types.bif +++ b/src/analyzer/protocol/rdp/types.bif @@ -5,6 +5,7 @@ type EarlyCapabilityFlags: record; type ClientCoreData: record; type ClientSecurityData: record; +type ClientClusterData: record; type ClientChannelList: vector; type ClientChannelDef: record; From bd0bf3f84f12cb69a13c010431d0933807c426e2 Mon Sep 17 00:00:00 2001 From: jatkinosn Date: Wed, 19 Jun 2019 16:10:29 -0400 Subject: [PATCH 2/4] Removing misc data from Client Cluster data trying to assign values. --- src/analyzer/protocol/rdp/rdp-analyzer.pac | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac index d52c1153c5..3007529f98 100644 --- a/src/analyzer/protocol/rdp/rdp-analyzer.pac +++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac @@ -165,11 +165,6 @@ refine flow RDP_Flow += { ccld->Assign(0, val_mgr->GetCount(${ccluster.flags})); ccld->Assign(1, val_mgr->GetCount(${ccluster.redir_session_id})); - ccld->Assign(2, val_mgr->GetBool(${ccluster.REDIRECTION_SUPPORTED})); - ccld->Assign(3, val_mgr->GetCount(${ccluster.SERVER_SESSION_REDIRECTION_VERSION_MASK})); - ccld->Assign(4, val_mgr->GetCount(${ccluster.REDIRECTED_SESSIONID_FIELD_VALID})); - ccld->Assign(5, val_mgr->GetBool(${ccluster.REDIRECTED_SMARTCARD})); - BifEvent::generate_rdp_client_cluster_data(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ccld); From 7b42c3a201b2695d4cf997e69aa5564f9c516fc8 Mon Sep 17 00:00:00 2001 From: jatkinosn Date: Thu, 20 Jun 2019 09:32:37 -0400 Subject: [PATCH 3/4] Correcting types. --- scripts/base/init-bare.zeek | 6 +++--- src/analyzer/protocol/rdp/events.bif | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 6ed290fb2c..f40b1a6fbe 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -4280,7 +4280,7 @@ export { ## A unique name for the channel name: string; ## Channel Def raw options as count - options: int; + options: count; ## Absence of this flag indicates that this channel is ## a placeholder and that the server MUST NOT set it up. initialized: bool; @@ -4307,8 +4307,8 @@ export { }; type RDP::ClientClusterData: record { - flags: int; - redir_session_id: int; + flags: count; + redir_session_id: count; }; ## The list of channels requested by the client. diff --git a/src/analyzer/protocol/rdp/events.bif b/src/analyzer/protocol/rdp/events.bif index 91d2fc004a..178860bd42 100644 --- a/src/analyzer/protocol/rdp/events.bif +++ b/src/analyzer/protocol/rdp/events.bif @@ -49,7 +49,7 @@ event rdp_client_security_data%(c: connection, data: RDP::ClientSecurityData%); ## channels: The channels that were requested event rdp_client_network_data%(c: connection, channels: RDP::ClientChannelList%); -## Generated for client clusgter data packets. +## Generated for client cluster data packets. ## ## c: The connection record for the underlying transport-layer session/flow. ## From 3a19af86c59509f35dd16bb199e75a707c628202 Mon Sep 17 00:00:00 2001 From: jatkinosn Date: Thu, 20 Jun 2019 10:47:05 -0400 Subject: [PATCH 4/4] Fixing types. Added handling for fields sub fields. Added test script and output. --- scripts/base/init-bare.zeek | 8 ++++-- src/analyzer/protocol/rdp/rdp-analyzer.pac | 4 +++ src/analyzer/protocol/rdp/rdp-protocol.pac | 4 +-- .../out | 12 ++++++++ .../rdp/rdp-client-cluster-data.zeek | 28 +++++++++++++++++++ 5 files changed, 52 insertions(+), 4 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.rdp.rdp-client-cluster_data/out create mode 100644 testing/btest/scripts/base/protocols/rdp/rdp-client-cluster-data.zeek diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index f40b1a6fbe..728077e062 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -4307,8 +4307,12 @@ export { }; type RDP::ClientClusterData: record { - flags: count; - redir_session_id: count; + flags: count; + redir_session_id: count; + redir_supported: bool; + svr_session_redir_version_mask: count; + redir_sessionid_field_valid: count; + redir_smartcard: bool; }; ## The list of channels requested by the client. diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac index 3007529f98..2355ceab79 100644 --- a/src/analyzer/protocol/rdp/rdp-analyzer.pac +++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac @@ -164,6 +164,10 @@ refine flow RDP_Flow += { RecordVal* ccld = new RecordVal(BifType::Record::RDP::ClientClusterData); ccld->Assign(0, val_mgr->GetCount(${ccluster.flags})); ccld->Assign(1, val_mgr->GetCount(${ccluster.redir_session_id})); + ccld->Assign(2, val_mgr->GetBool(${ccluster.REDIRECTION_SUPPORTED})); + ccld->Assign(3, val_mgr->GetCount(${ccluster.SERVER_SESSION_REDIRECTION_VERSION_MASK})); + ccld->Assign(4, val_mgr->GetCount(${ccluster.REDIRECTED_SESSIONID_FIELD_VALID})); + ccld->Assign(5, val_mgr->GetBool(${ccluster.REDIRECTED_SMARTCARD})); BifEvent::generate_rdp_client_cluster_data(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), diff --git a/src/analyzer/protocol/rdp/rdp-protocol.pac b/src/analyzer/protocol/rdp/rdp-protocol.pac index f10dcf0af4..bcf5e89a2e 100644 --- a/src/analyzer/protocol/rdp/rdp-protocol.pac +++ b/src/analyzer/protocol/rdp/rdp-protocol.pac @@ -235,8 +235,8 @@ type Client_Cluster_Data = record { redir_session_id: uint32; } &let { REDIRECTION_SUPPORTED: bool = redir_session_id & 0x00000001; - SERVER_SESSION_REDIRECTION_VERSION_MASK: int = (redir_session_id & 0x0000003C); - REDIRECTED_SESSIONID_FIELD_VALID: int = (redir_session_id & 0x00000002); + SERVER_SESSION_REDIRECTION_VERSION_MASK: uint8 = (redir_session_id & 0x0000003C); + REDIRECTED_SESSIONID_FIELD_VALID: uint8 = (redir_session_id & 0x00000002); REDIRECTED_SMARTCARD: bool = redir_session_id & 0x00000040; } &byteorder=littleendian; diff --git a/testing/btest/Baseline/scripts.base.protocols.rdp.rdp-client-cluster_data/out b/testing/btest/Baseline/scripts.base.protocols.rdp.rdp-client-cluster_data/out new file mode 100644 index 0000000000..53973a2324 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.rdp.rdp-client-cluster_data/out @@ -0,0 +1,12 @@ +RDP Client Cluster Data +Flags: 0000000d +RedirSessionId: 00000000 +Redirection Supported: 00000000 +ServerSessionRedirectionVersionMask: 00000000 +RedirectionSessionIDFieldValid: 00000000 +RedirectedSmartCard: 00000000 +RDP Client Channel List Options +80800000 +c0000000 +c0800000 +c0a00000 diff --git a/testing/btest/scripts/base/protocols/rdp/rdp-client-cluster-data.zeek b/testing/btest/scripts/base/protocols/rdp/rdp-client-cluster-data.zeek new file mode 100644 index 0000000000..97a711209a --- /dev/null +++ b/testing/btest/scripts/base/protocols/rdp/rdp-client-cluster-data.zeek @@ -0,0 +1,28 @@ +# @TEST-EXEC: zeek -r $TRACES/rdp/rdp-proprietary-encryption.pcap %INPUT >out +# @TEST-EXEC: btest-diff out + +@load base/protocol/rdp + + +event rdp_client_cluster_data(c: connection, data: RDP::ClientClusterData) +{ +print "RDP Client Cluster Data"; +#print data; +print fmt("Flags: %08x",data$flags); +print fmt("RedirSessionId: %08x",data$redir_session_id); +print fmt("Redirection Supported: %08x",data$redir_supported); +print fmt("ServerSessionRedirectionVersionMask: %08x",data$svr_session_redir_version_mask); +print fmt("RedirectionSessionIDFieldValid: %08x",data$redir_sessionid_field_valid); +print fmt("RedirectedSmartCard: %08x",data$redir_smartcard); + +} + + +event rdp_client_network_data(c: connection, channels: RDP::ClientChannelList) +{ +print "RDP Client Channel List Options"; +for ( i in channels ) { + print fmt("%08x", channels[i]$options); + } +} +