diff options
Diffstat (limited to 'src/lib/protocols/rdp.c')
| -rw-r--r-- | src/lib/protocols/rdp.c | 45 |
1 files changed, 43 insertions, 2 deletions
diff --git a/src/lib/protocols/rdp.c b/src/lib/protocols/rdp.c index 9c42f0055..bc2994286 100644 --- a/src/lib/protocols/rdp.c +++ b/src/lib/protocols/rdp.c @@ -2,7 +2,7 @@ * rdp.c * * Copyright (C) 2009-11 - ipoque GmbH - * Copyright (C) 2011-22 - ntop.org + * Copyright (C) 2011-24 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -32,6 +32,11 @@ #include "ndpi_api.h" #include "ndpi_private.h" +extern int ndpi_tls_obfuscated_heur_search_again(struct ndpi_detection_module_struct* ndpi_struct, + struct ndpi_flow_struct* flow); + +/* **************************************** */ + static void ndpi_int_rdp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { NDPI_LOG_INFO(ndpi_struct, "found RDP\n"); @@ -39,6 +44,27 @@ static void ndpi_int_rdp_add_connection(struct ndpi_detection_module_struct *ndp ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found RDP"); /* Remote assistance */ } +/* **************************************** */ + +/* tls.c */ +extern int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow); + +int ndpi_search_tls_over_rdp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + const struct ndpi_packet_struct * const packet = &ndpi_struct->packet; + + if((packet->payload_packet_len > 1) + && (packet->payload[0] == 0x16 /* This might be a TLS block */)) { + int rc = ndpi_search_tls_tcp(ndpi_struct, flow); + + return(rc); + } else + return 1; /* Keep searching */ +} + +/* **************************************** */ + static void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { const struct ndpi_packet_struct * const packet = &ndpi_struct->packet; @@ -57,7 +83,21 @@ static void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct, packet->payload[13] == 0x08 /* RDP Length */) || (packet->payload_packet_len > 17 && memcmp(&packet->payload[11], "Cookie:", 7) == 0))) /* RDP Cookie */ { + + if(packet->payload_packet_len > 43) { + u_int8_t rdp_requested_proto = packet->payload[43]; + + /* Check if TLS support has been requested in RDP */ + if((rdp_requested_proto & 0x1) == 0x1) { + /* RDP Response + Client Hello + Server hello */ + flow->max_extra_packets_to_check = 5; + + flow->extra_packets_func = ndpi_search_tls_over_rdp; + } + } + ndpi_int_rdp_add_connection(ndpi_struct, flow); + return; } } else { @@ -66,7 +106,7 @@ static void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct, packet->payload[11] == 0x02 && /* RDP Negotiation Response */ packet->payload[13] == 0x08 /* RDP Length */) { ndpi_int_rdp_add_connection(ndpi_struct, flow); - return; + return; } } } @@ -139,6 +179,7 @@ static void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct, } } +/* **************************************** */ void init_rdp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id) { |