Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
6401 commits 386 branches 195 tags 256 MiB
Commit graph

15 commits

Author SHA1 Message Date
Daniel Thayer
45caf8d2c1 Add missing documentation on the "Bro Package Index" page 2015-06-02 10:00:00 -05:00
Jon Siwek
32ae94de9a Merge remote-tracking branch 'origin/topic/seth/rdp' 
* origin/topic/seth/rdp: (31 commits)
  Improved transition into SSL/TLS from RDP.
  Fixes tests in RDP branch.
  add a special case to the X509 code that deals with RDP certificates.
  A few more changes to handling encryption in RDP.
  Adds some comments and fixes a broxygen warning.
  Fixes another optional part of an RDP unit.
  Support RDP negotiation requests optionally and support zero length cookies.
  Changed UTF-16 to UTF-8 conversion to be more lenient.
  Fixed an issue with parse failure on an optional field.
  Removing a stray printf from RDP analyzer.
  Another big RDP update.
  New script to add a field to rdp.log when the connection is upgraded to SSL.
  Huge updates to the RDP analyzer from Josh Liburdi.
  FreeRDP test trace showing SSL encryption -- RDP analyzer does not currently handle this and SSL analyzer does not identify it either
  Wireshark test trace for native encryption -- generates a binpac error
  Delete RDP-004.pcap
  Delete nla_win7_win2k8r2.pcap
  Update dpd.sig
  Fixed typo
  Added check for connection existence
  ...

BIT-1340 #merged
 2015-03-30 17:10:04 -05:00
Seth Hall
276e072e6e A few more changes to handling encryption in RDP. 2015-03-05 13:38:54 -05:00
Seth Hall
b92a68e2bd Adds some comments and fixes a broxygen warning. 2015-03-05 11:37:37 -05:00
Seth Hall
f45e057779 Another big RDP update. 
- New fields for certificate type, number of certificates,
   if certificates are permanent on the server, and the selected
   security protocol.
 - Fixed some issues with X.509 certificate handling over RDP
   (the event handler wasn't sufficiently constrained).
 - Better detection of and transition into encrypted mode.  No more
   binpac parse failures from the test traces anymore!
 - Some event name clean up and new events.
 - X.509 Certificate chains are now handled correctly (was only grabbing
   a single certificate).
 2015-03-05 01:15:12 -05:00
Seth Hall
bbedb73a45 Huge updates to the RDP analyzer from Josh Liburdi. 
- More data pulled into scriptland.
  - Logs expanded with client screen resolution and desired color depth.
  - Values in UTF-16 on the wire are converted to UTF-8 before being
    sent to scriptland.
  - If the RDP turns into SSL records, we now pass data that appears
    to be SSL to the PIA analyzer.
  - If RDP uses native encryption with X.509 certs we pass those
    certs to the files framework and the base scripts pass them forward
    to the X.509 analyzer.
  - Lots of cleanup and adjustment to fit the documented protocol
    a bit better.
  - Cleaned up the DPD signatures.
  - Moved to flowunit instead of datagram.
  - Added tests.
 2015-03-04 13:12:03 -05:00
jshlbrd
dade1936be Update dpd.sig 2015-02-15 23:06:36 -08:00
jshlbrd
10071ffddf Fixed typo 2015-02-15 23:05:11 -08:00
jshlbrd
8a5bb0f6a7 Added check for connection existence 
Added a check for connection existence before trying to remove the RDP analyzer from a connection.
 2015-02-15 23:04:31 -08:00
Josh Liburdi
90bfbf9002 Added comments, changed logging events to reduce analyzer errors 2015-02-15 22:43:31 -08:00
Josh Liburdi
a3ab9f5b09 Added comments and TODOs 2015-02-15 10:18:52 -08:00
Josh Liburdi
af1f4be529 Added comments and TODOs 2015-02-15 10:16:16 -08:00
Josh Liburdi
0648dafa54 Removed scheduling of rdp_tracker event in server response events 2015-02-15 10:08:31 -08:00
Josh Liburdi
fd655aa85d Removed debug code for SSL 2015-02-15 09:24:28 -08:00
Josh Liburdi
46713fb5c7 Init RDP analyzer 2015-02-14 13:16:48 -08:00