zeek/testing/btest/scripts/base/protocols/rdp/rdp-x509.bro at 88d066e921c0150e89b51d0341ca71d7eb7a4fe5 - Mirror/zeek - git.uphillsecurity.com: We code.

Mirror/zeek

mirror of https://github.com/zeek/zeek.git synced 2025-10-04 23:58:20 +00:00

Seth Hall bbedb73a45 Huge updates to the RDP analyzer from Josh Liburdi.

- More data pulled into scriptland.
  - Logs expanded with client screen resolution and desired color depth.
  - Values in UTF-16 on the wire are converted to UTF-8 before being
    sent to scriptland.
  - If the RDP turns into SSL records, we now pass data that appears
    to be SSL to the PIA analyzer.
  - If RDP uses native encryption with X.509 certs we pass those
    certs to the files framework and the base scripts pass them forward
    to the X.509 analyzer.
  - Lots of cleanup and adjustment to fit the documented protocol
    a bit better.
  - Cleaned up the DPD signatures.
  - Moved to flowunit instead of datagram.
  - Added tests.

2015-03-04 13:12:03 -05:00

5 lines

147 B

Text

Raw Blame History

 # @TEST-EXEC: bro -r $TRACES/rdp/rdp-x509.pcap %INPUT
 # @TEST-EXEC: btest-diff rdp.log
 # @TEST-EXEC: btest-diff x509.log
 @load base/protocols/rdp