mirror of
https://github.com/zeek/zeek.git
synced 2025-10-12 19:48:20 +00:00
bbedb73a45
- More data pulled into scriptland.
- Logs expanded with client screen resolution and desired color depth.
- Values in UTF-16 on the wire are converted to UTF-8 before being
sent to scriptland.
- If the RDP turns into SSL records, we now pass data that appears
to be SSL to the PIA analyzer.
- If RDP uses native encryption with X.509 certs we pass those
certs to the files framework and the base scripts pass them forward
to the X.509 analyzer.
- Lots of cleanup and adjustment to fit the documented protocol
a bit better.
- Cleaned up the DPD signatures.
- Moved to flowunit instead of datagram.
- Added tests.
25 lines
471 B
JavaScript
25 lines
471 B
JavaScript
%include binpac.pac
|
|
%include bro.pac
|
|
|
|
%extern{
|
|
#include "events.bif.h"
|
|
%}
|
|
|
|
analyzer RDP withcontext {
|
|
connection: RDP_Conn;
|
|
flow: RDP_Flow;
|
|
};
|
|
|
|
# Our connection consists of two flows, one in each direction.
|
|
connection RDP_Conn(bro_analyzer: BroAnalyzer) {
|
|
upflow = RDP_Flow(true);
|
|
downflow = RDP_Flow(false);
|
|
};
|
|
|
|
%include rdp-protocol.pac
|
|
|
|
flow RDP_Flow(is_orig: bool) {
|
|
flowunit = TPKT(is_orig) withcontext(connection, this);
|
|
};
|
|
|
|
%include rdp-analyzer.pac
|