From fbae51ae9de3cd4c22664e25ec29d73abe64adfc Mon Sep 17 00:00:00 2001
From: Vladimir Gavrilov <105977161+0xA50C1A1@users.noreply.github.com>
Date: Thu, 23 Nov 2023 11:35:43 +0300
Subject: Get rid of RDP false positives (#2161)

* Get rid of false positives in the RDP protocol dissector

* Remove kludge for RDP

* RDP: improve detection

---------

Co-authored-by: 0xA50C1A1 <mage.wizard88@gmail.com>
Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
---
 src/lib/protocols/rdp.c | 34 +++++++++++++++++++++++++---------
 1 file changed, 25 insertions(+), 9 deletions(-)

(limited to 'src/lib/protocols/rdp.c')

diff --git a/src/lib/protocols/rdp.c b/src/lib/protocols/rdp.c
index 305c1c27f..e95c6e853 100644
--- a/src/lib/protocols/rdp.c
+++ b/src/lib/protocols/rdp.c
@@ -46,16 +46,32 @@ static void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct,
   NDPI_LOG_DBG(ndpi_struct, "search RDP\n");
 
   if (packet->tcp != NULL) {
-    if (packet->payload_packet_len > 10
-	&& get_u_int8_t(packet->payload, 0) > 0
-	&& get_u_int8_t(packet->payload, 0) < 4 && get_u_int16_t(packet->payload, 2) == ntohs(packet->payload_packet_len)
-	&& get_u_int8_t(packet->payload, 4) == packet->payload_packet_len - 5
-	&& get_u_int8_t(packet->payload, 5) == 0xe0
-	&& get_u_int16_t(packet->payload, 6) == 0 && get_u_int16_t(packet->payload, 8) == 0 && get_u_int8_t(packet->payload, 10) == 0) {
-      ndpi_int_rdp_add_connection(ndpi_struct, flow);
-      return;
-    }
+    if(packet->payload_packet_len > 13 &&
+       /* TPKT */
+       packet->payload[0] == 0x03 && packet->payload[1] == 0x00 &&
+       ntohs(*(uint16_t *)&packet->payload[2]) == packet->payload_packet_len &&
+       /* COTP */
+       packet->payload[4] == packet->payload_packet_len - 5) {
 
+      if(current_pkt_from_client_to_server(ndpi_struct, flow)) {
+        if(packet->payload[5] == 0xE0 && /* COTP CR */
+	   ((packet->payload[11] == 0x01 && /* RDP Negotiation Request */
+             packet->payload[13] == 0x08 /* RDP Length */) ||
+	    (packet->payload_packet_len > 17 &&
+	     memcmp(&packet->payload[11], "Cookie:", 7) == 0))) /* RDP Cookie */ {
+          ndpi_int_rdp_add_connection(ndpi_struct, flow);
+          return;
+	}
+      } else {
+        /* Asymmetric detection via RDP Negotiation Response */
+        if(packet->payload[5] == 0xD0 && /* COTP CC */
+	   packet->payload[11] == 0x02 && /* RDP Negotiation Response */
+           packet->payload[13] == 0x08 /* RDP Length */) {
+          ndpi_int_rdp_add_connection(ndpi_struct, flow);
+          return;
+	}
+      }
+    }
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
   } else if(packet->udp != NULL) {
     u_int16_t s_port = ntohs(packet->udp->source);
-- 
cgit v1.2.3