From 7d3c3b23f8b9749690b8c5f345b7bc489b3666ac Mon Sep 17 00:00:00 2001
From: Luca Deri <deri@ntop.org>
Date: Mon, 18 Oct 2021 22:12:28 +0200
Subject: Implemented RDP over UDP dissection

---
 src/include/ndpi_typedefs.h |  3 ++
 src/lib/protocols/rdp.c     | 67 ++++++++++++++++++++++++++++++++++++---------
 2 files changed, 57 insertions(+), 13 deletions(-)

(limited to 'src')

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index c3dc63e3a..fe32bfd97 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -793,6 +793,9 @@ struct ndpi_flow_udp_struct {
   /* NDPI_PROTOCOL_CSGO */
   u_int8_t csgo_strid[18],csgo_state,csgo_s2;
   u_int32_t csgo_id2;
+
+  /* NDPI_PROTOCOL_RDP */
+  u_int8_t rdp_to_srv[3], rdp_from_srv[3], rdp_to_srv_pkts, rdp_from_srv_pkts;   
 };
 
 /* ************************************************** */
diff --git a/src/lib/protocols/rdp.c b/src/lib/protocols/rdp.c
index 6b3564e79..e7aa91173 100644
--- a/src/lib/protocols/rdp.c
+++ b/src/lib/protocols/rdp.c
@@ -27,6 +27,8 @@
 
 #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RDP
 
+#define RDP_PORT 3389
+
 #include "ndpi_api.h"
 
 static void ndpi_int_rdp_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
@@ -40,19 +42,58 @@ void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct,
 	
   NDPI_LOG_DBG(ndpi_struct, "search RDP\n");
 
-  if (packet->payload_packet_len > 10
-      && get_u_int8_t(packet->payload, 0) > 0
-      && get_u_int8_t(packet->payload, 0) < 4 && get_u_int16_t(packet->payload, 2) == ntohs(packet->payload_packet_len)
-      && get_u_int8_t(packet->payload, 4) == packet->payload_packet_len - 5
-      && get_u_int8_t(packet->payload, 5) == 0xe0
-      && get_u_int16_t(packet->payload, 6) == 0 && get_u_int16_t(packet->payload, 8) == 0 && get_u_int8_t(packet->payload, 10) == 0) {
-    NDPI_LOG_INFO(ndpi_struct, "found RDP\n");
-    ndpi_int_rdp_add_connection(ndpi_struct, flow);
-    ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */
-    return;
-  }
+  if (packet->tcp != NULL) {
+    if (packet->payload_packet_len > 10
+	&& get_u_int8_t(packet->payload, 0) > 0
+	&& get_u_int8_t(packet->payload, 0) < 4 && get_u_int16_t(packet->payload, 2) == ntohs(packet->payload_packet_len)
+	&& get_u_int8_t(packet->payload, 4) == packet->payload_packet_len - 5
+	&& get_u_int8_t(packet->payload, 5) == 0xe0
+	&& get_u_int16_t(packet->payload, 6) == 0 && get_u_int16_t(packet->payload, 8) == 0 && get_u_int8_t(packet->payload, 10) == 0) {
+      NDPI_LOG_INFO(ndpi_struct, "found RDP\n");
+    rdp_found:
+      ndpi_int_rdp_add_connection(ndpi_struct, flow);
+      ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */
+      return;
+    }
 
-  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+  } else if(packet->udp != NULL) {
+    u_int16_t s_port = ntohs(packet->udp->source);
+    u_int16_t d_port = ntohs(packet->udp->dest);
+
+    if((packet->payload_packet_len >= 10) && ((s_port == RDP_PORT) || (d_port == RDP_PORT))) {
+      if(s_port == RDP_PORT) {
+	/* Server -> Client */
+	if(flow->l4.udp.rdp_from_srv_pkts == 0)
+	  memcpy(flow->l4.udp.rdp_from_srv, packet->payload, 3), flow->l4.udp.rdp_from_srv_pkts = 1;
+	else {
+	  if(memcmp(flow->l4.udp.rdp_from_srv, packet->payload, 3) != 0)
+	    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+	  else {
+	    flow->l4.udp.rdp_from_srv_pkts = 2 /* stage 2 */;
+	    
+	    if(flow->l4.udp.rdp_to_srv_pkts == 2)
+	      goto rdp_found;
+	  }
+	}
+      } else {
+	/* Client -> Server */
+	if(flow->l4.udp.rdp_to_srv_pkts == 0)
+	  memcpy(flow->l4.udp.rdp_to_srv, packet->payload, 3), flow->l4.udp.rdp_to_srv_pkts = 1;
+	else {
+	  if(memcmp(flow->l4.udp.rdp_to_srv, packet->payload, 3) != 0)
+	    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+	  else {
+	    flow->l4.udp.rdp_to_srv_pkts = 2 /* stage 2 */;
+	    
+	    if(flow->l4.udp.rdp_from_srv_pkts == 2)
+	      goto rdp_found;
+	  }
+	}
+      }
+    } else
+      NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+  }
 }
 
 
@@ -61,7 +102,7 @@ void init_rdp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3
   ndpi_set_bitmask_protocol_detection("RDP", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_RDP,
 				      ndpi_search_rdp,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
 
-- 
cgit v1.2.3