mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
bbedb73a45
- More data pulled into scriptland.
- Logs expanded with client screen resolution and desired color depth.
- Values in UTF-16 on the wire are converted to UTF-8 before being
sent to scriptland.
- If the RDP turns into SSL records, we now pass data that appears
to be SSL to the PIA analyzer.
- If RDP uses native encryption with X.509 certs we pass those
certs to the files framework and the base scripts pass them forward
to the X.509 analyzer.
- Lots of cleanup and adjustment to fit the documented protocol
a bit better.
- Cleaned up the DPD signatures.
- Moved to flowunit instead of datagram.
- Added tests.
12 lines
268 B
Standard ML
12 lines
268 B
Standard ML
signature dpd_rdp_client {
|
|
ip-proto == tcp
|
|
# Client request
|
|
payload /.*(Cookie: mstshash\=|Duca.*(rdpdr|rdpsnd|drdynvc|cliprdr))/
|
|
requires-reverse-signature dpd_rdp_server
|
|
enable "rdp"
|
|
}
|
|
|
|
signature dpd_rdp_server {
|
|
ip-proto == tcp
|
|
payload /(.{5}\xd0|.*McDn)/
|
|
}
|