diff options
| author | Luca Deri <deri@ntop.org> | 2021-10-18 22:12:28 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2021-10-18 22:12:28 +0200 |
| commit | 7d3c3b23f8b9749690b8c5f345b7bc489b3666ac (patch) | |
| tree | 5ea14ce668e2eb688bd5e2663f83b0aa6e25be88 /src/lib | |
| parent | 9e97d20c25532f7e3ce6855d61494b09dcc2fcc4 (diff) | |
Implemented RDP over UDP dissection
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/protocols/rdp.c | 67 |
1 files changed, 54 insertions, 13 deletions
diff --git a/src/lib/protocols/rdp.c b/src/lib/protocols/rdp.c index 6b3564e79..e7aa91173 100644 --- a/src/lib/protocols/rdp.c +++ b/src/lib/protocols/rdp.c @@ -27,6 +27,8 @@ #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RDP +#define RDP_PORT 3389 + #include "ndpi_api.h" static void ndpi_int_rdp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, @@ -40,19 +42,58 @@ void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG(ndpi_struct, "search RDP\n"); - if (packet->payload_packet_len > 10 - && get_u_int8_t(packet->payload, 0) > 0 - && get_u_int8_t(packet->payload, 0) < 4 && get_u_int16_t(packet->payload, 2) == ntohs(packet->payload_packet_len) - && get_u_int8_t(packet->payload, 4) == packet->payload_packet_len - 5 - && get_u_int8_t(packet->payload, 5) == 0xe0 - && get_u_int16_t(packet->payload, 6) == 0 && get_u_int16_t(packet->payload, 8) == 0 && get_u_int8_t(packet->payload, 10) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found RDP\n"); - ndpi_int_rdp_add_connection(ndpi_struct, flow); - ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */ - return; - } + if (packet->tcp != NULL) { + if (packet->payload_packet_len > 10 + && get_u_int8_t(packet->payload, 0) > 0 + && get_u_int8_t(packet->payload, 0) < 4 && get_u_int16_t(packet->payload, 2) == ntohs(packet->payload_packet_len) + && get_u_int8_t(packet->payload, 4) == packet->payload_packet_len - 5 + && get_u_int8_t(packet->payload, 5) == 0xe0 + && get_u_int16_t(packet->payload, 6) == 0 && get_u_int16_t(packet->payload, 8) == 0 && get_u_int8_t(packet->payload, 10) == 0) { + NDPI_LOG_INFO(ndpi_struct, "found RDP\n"); + rdp_found: + ndpi_int_rdp_add_connection(ndpi_struct, flow); + ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */ + return; + } - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } else if(packet->udp != NULL) { + u_int16_t s_port = ntohs(packet->udp->source); + u_int16_t d_port = ntohs(packet->udp->dest); + + if((packet->payload_packet_len >= 10) && ((s_port == RDP_PORT) || (d_port == RDP_PORT))) { + if(s_port == RDP_PORT) { + /* Server -> Client */ + if(flow->l4.udp.rdp_from_srv_pkts == 0) + memcpy(flow->l4.udp.rdp_from_srv, packet->payload, 3), flow->l4.udp.rdp_from_srv_pkts = 1; + else { + if(memcmp(flow->l4.udp.rdp_from_srv, packet->payload, 3) != 0) + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + else { + flow->l4.udp.rdp_from_srv_pkts = 2 /* stage 2 */; + + if(flow->l4.udp.rdp_to_srv_pkts == 2) + goto rdp_found; + } + } + } else { + /* Client -> Server */ + if(flow->l4.udp.rdp_to_srv_pkts == 0) + memcpy(flow->l4.udp.rdp_to_srv, packet->payload, 3), flow->l4.udp.rdp_to_srv_pkts = 1; + else { + if(memcmp(flow->l4.udp.rdp_to_srv, packet->payload, 3) != 0) + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + else { + flow->l4.udp.rdp_to_srv_pkts = 2 /* stage 2 */; + + if(flow->l4.udp.rdp_from_srv_pkts == 2) + goto rdp_found; + } + } + } + } else + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } } @@ -61,7 +102,7 @@ void init_rdp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 ndpi_set_bitmask_protocol_detection("RDP", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_RDP, ndpi_search_rdp, - NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); |