Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Another big RDP update.

Browse source 
- New fields for certificate type, number of certificates,
   if certificates are permanent on the server, and the selected
   security protocol.
 - Fixed some issues with X.509 certificate handling over RDP
   (the event handler wasn't sufficiently constrained).
 - Better detection of and transition into encrypted mode.  No more
   binpac parse failures from the test traces anymore!
 - Some event name clean up and new events.
 - X.509 Certificate chains are now handled correctly (was only grabbing
   a single certificate).
This commit is contained in:
Seth Hall 2015-03-05 01:15:12 -05:00
parent 0d04557ac4
commit f45e057779
10 changed files with 364 additions and 135 deletions
Download patch file Download diff file Expand all files Collapse all files

12
testing/btest/Baseline/scripts.base.protocols.rdp.rdp-proprietary-encryption/rdp.log
View file

@ -3,9 +3,9 @@
#empty_field (empty)
#unset_field -
#path rdp
#open 2015-03-04-17-59-16
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cookie keyboard_layout client_build client_name client_dig_product_id desktop_width desktop_height requested_color_depth result encryption_level encryption_method
#types time string addr port addr port string string string string string count count string string string string
1193369797.582740 CjhGID4nQcgTWjvg4c 172.21.128.16 1312 10.226.24.52 3389 FTBCO\A70 English - United States RDP 6.0 FROG-POND (empty) 1152 864 32-bit Success High 128bit
1193369795.014346 CXWv6p3arKYeMETxOg 172.21.128.16 1311 10.226.24.52 3389 FTBCO\A70 - - - - - - - - - -
#close 2015-03-04-17-59-16
#open 2015-03-05-06-05-01
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cookie result keyboard_layout client_build client_name client_dig_product_id desktop_width desktop_height requested_color_depth cert_type cert_count cert_permanent selected_security_protocol encryption_level encryption_method
#types time string addr port addr port string string string string string string count count string string count bool string string string
1193369795.014346 CXWv6p3arKYeMETxOg 172.21.128.16 1311 10.226.24.52 3389 FTBCO\A70 SSL_NOT_ALLOWED_BY_SERVER - - - - - - - - 0 - - - -
1193369797.582740 CjhGID4nQcgTWjvg4c 172.21.128.16 1312 10.226.24.52 3389 FTBCO\A70 Success English - United States RDP 6.0 FROG-POND (empty) 1152 864 32bit RSA 1 T RDP High 128bit
#close 2015-03-05-06-05-01