diff options
Diffstat (limited to 'src/lib/protocols/rdp.c')
| -rw-r--r-- | src/lib/protocols/rdp.c | 56 |
1 files changed, 42 insertions, 14 deletions
diff --git a/src/lib/protocols/rdp.c b/src/lib/protocols/rdp.c index dfc47d72b..363f48628 100644 --- a/src/lib/protocols/rdp.c +++ b/src/lib/protocols/rdp.c @@ -33,7 +33,9 @@ static void ndpi_int_rdp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + NDPI_LOG_INFO(ndpi_struct, "found RDP\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RDP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found RDP"); /* Remote assistance */ } static void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct, @@ -49,10 +51,7 @@ static void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct, && get_u_int8_t(packet->payload, 4) == packet->payload_packet_len - 5 && get_u_int8_t(packet->payload, 5) == 0xe0 && get_u_int16_t(packet->payload, 6) == 0 && get_u_int16_t(packet->payload, 8) == 0 && get_u_int8_t(packet->payload, 10) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found RDP\n"); - rdp_found: ndpi_int_rdp_add_connection(ndpi_struct, flow); - ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found RDP"); /* Remote assistance */ return; } @@ -61,33 +60,62 @@ static void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t s_port = ntohs(packet->udp->source); u_int16_t d_port = ntohs(packet->udp->dest); + /* Detection: + * initial syn/syn-ack pair for RDPUDP v1 & v2 + * mid-flow (only v1) */ + if((packet->payload_packet_len >= 10) && ((s_port == RDP_PORT) || (d_port == RDP_PORT))) { if(s_port == RDP_PORT) { /* Server -> Client */ - if(flow->l4.udp.rdp_from_srv_pkts == 0) - memcpy(flow->l4.udp.rdp_from_srv, packet->payload, 3), flow->l4.udp.rdp_from_srv_pkts = 1; - else { + if(flow->l4.udp.rdp_from_srv_pkts == 0) { + if(memcmp(packet->payload, flow->l4.udp.rdp_from_srv, 3) == 0 && + packet->payload_packet_len >= 16 && + (ntohs(get_u_int16_t(packet->payload, 6)) & 0x0003) && /* Flags: syn-ack */ + ntohs(get_u_int16_t(packet->payload, 12)) <= 1600 && /* Sensible values for upstream MTU */ + ntohs(get_u_int16_t(packet->payload, 14)) <= 1600) { /* Sensible values for downstream MTU */ + /* Initial "syn-ack" */ + ndpi_int_rdp_add_connection(ndpi_struct, flow); + return; + } else { + /* Mid-flow session? */ + memcpy(flow->l4.udp.rdp_from_srv, packet->payload, 3), flow->l4.udp.rdp_from_srv_pkts = 1; + } + } else { if(memcmp(flow->l4.udp.rdp_from_srv, packet->payload, 3) != 0) NDPI_EXCLUDE_PROTO(ndpi_struct, flow); else { flow->l4.udp.rdp_from_srv_pkts = 2 /* stage 2 */; - - if(flow->l4.udp.rdp_to_srv_pkts == 2) - goto rdp_found; + + if(flow->l4.udp.rdp_to_srv_pkts == 2) { + ndpi_int_rdp_add_connection(ndpi_struct, flow); + return; + } } } } else { /* Client -> Server */ - if(flow->l4.udp.rdp_to_srv_pkts == 0) - memcpy(flow->l4.udp.rdp_to_srv, packet->payload, 3), flow->l4.udp.rdp_to_srv_pkts = 1; - else { + if(flow->l4.udp.rdp_to_srv_pkts == 0) { + if(get_u_int32_t(packet->payload, 0) == 0xFFFFFFFF && + packet->payload_packet_len >= 16 && + (ntohs(get_u_int16_t(packet->payload, 6)) & 0x0001) && /* Flags: syn */ + ntohs(get_u_int16_t(packet->payload, 12)) <= 1600 && /* Sensible values for upstream MTU */ + ntohs(get_u_int16_t(packet->payload, 14)) <= 1600) { /* Sensible values for downstream MTU */ + /* Initial "syn" */ + memcpy(flow->l4.udp.rdp_from_srv, packet->payload + 8, 3); + } else { + /* Mid-flow session? */ + memcpy(flow->l4.udp.rdp_to_srv, packet->payload, 3), flow->l4.udp.rdp_to_srv_pkts = 1; + } + } else { if(memcmp(flow->l4.udp.rdp_to_srv, packet->payload, 3) != 0) NDPI_EXCLUDE_PROTO(ndpi_struct, flow); else { flow->l4.udp.rdp_to_srv_pkts = 2 /* stage 2 */; - if(flow->l4.udp.rdp_from_srv_pkts == 2) - goto rdp_found; + if(flow->l4.udp.rdp_from_srv_pkts == 2) { + ndpi_int_rdp_add_connection(ndpi_struct, flow); + return; + } } } } |