Project

General

Profile

Actions

Bug #3813

closed

RDP parser differences between 5.0.x and 6.x

Added by Jeff Lucovsky over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata-verify PR #260 behaves differently with 5.0.x and 6.0.0rc1.

Suricata `master` rdp fails to detect "initial_response"
Suricata 5.0.x branch RDP detects it

This is the eve.json output from the s-v test "output-eve-rdp-01"

6.0.0rc1

{"timestamp":"2007-10-25T18:06:31.493179+0000","flow_id":337674005618014,"pcap_cnt":5,"event_type":"rdp","src_ip":"10.226.29.74","src_port":3389,"dest_ip":"10.226.41.226","dest_port":13178,"proto":"TCP","rdp":{"tx_id":0,"event_type":"initial_request","cookie":"A70067"},"community_id":"1:sbeGbH2+TjklS\/iu4AY+uLbDKEc="}
{"timestamp":"2007-10-25T18:06:31.804036+0000","flow_id":337674005618014,"pcap_cnt":8,"event_type":"rdp","src_ip":"10.226.29.74","src_port":3389,"dest_ip":"10.226.41.226","dest_port":13178,"proto":"TCP","rdp":{"tx_id":1,"event_type":"connect_request","client":{"version":"v5","desktop_width":1152,"desktop_height":864,"color_depth":15,"keyboard_layout":"en-US","build":"Windows XP","client_name":"ISD2-KM84178","keyboard_type":"enhanced","function_keys":12,"product_id":1,"capabilities":["support_errinfo_pdf"],"id":"55274-OEM-0011903-00107"},"channels":["rdpdr","cliprdr","rdpsnd"]},"community_id":"1:sbeGbH2+TjklS\/iu4AY+uLbDKEc="}
{"timestamp":"2007-10-25T18:06:31.804520+0000","flow_id":337674005618014,"pcap_cnt":9,"event_type":"rdp","src_ip":"10.226.41.226","src_port":13178,"dest_ip":"10.226.29.74","dest_port":3389,"proto":"TCP","rdp":{"tx_id":2,"event_type":"connect_response"},"community_id":"1:sbeGbH2+TjklS\/iu4AY+uLbDKEc="}

5.0.x output

{"timestamp":"2007-10-25T18:06:31.493179+0000","flow_id":1267070568734046,"pcap_cnt":5,"event_type":"rdp","src_ip":"10.226.29.74","src_port":3389,"dest_ip":"10.226.41.226","dest_port":13178,"proto":"TCP","rdp":{"tx_id":0,"event_type":"initial_request","cookie":"A70067"},"community_id":"1:sbeGbH2+TjklS\/iu4AY+uLbDKEc="}
{"timestamp":"2007-10-25T18:06:31.802375+0000","flow_id":1267070568734046,"pcap_cnt":7,"event_type":"rdp","src_ip":"10.226.41.226","src_port":13178,"dest_ip":"10.226.29.74","dest_port":3389,"proto":"TCP","rdp":{"tx_id":1,"event_type":"initial_response"},"community_id":"1:sbeGbH2+TjklS\/iu4AY+uLbDKEc="}
{"timestamp":"2007-10-25T18:06:31.804036+0000","flow_id":1267070568734046,"pcap_cnt":8,"event_type":"rdp","src_ip":"10.226.29.74","src_port":3389,"dest_ip":"10.226.41.226","dest_port":13178,"proto":"TCP","rdp":{"tx_id":2,"event_type":"connect_request","client":{"version":"v5","desktop_width":1152,"desktop_height":864,"color_depth":15,"keyboard_layout":"en-US","build":"Windows XP","client_name":"ISD2-KM84178","keyboard_type":"enhanced","function_keys":12,"product_id":1,"capabilities":["support_errinfo_pdf"],"id":"55274-OEM-0011903-00107"},"channels":["rdpdr","cliprdr","rdpsnd"]},"community_id":"1:sbeGbH2+TjklS\/iu4AY+uLbDKEc="}
{"timestamp":"2007-10-25T18:06:31.804520+0000","flow_id":1267070568734046,"pcap_cnt":9,"event_type":"rdp","src_ip":"10.226.41.226","src_port":13178,"dest_ip":"10.226.29.74","dest_port":3389,"proto":"TCP","rdp":{"tx_id":3,"event_type":"connect_response"},"community_id":"1:sbeGbH2+TjklS\/iu4AY+uLbDKEc="}

Actions #1

Updated by Jeff Lucovsky over 3 years ago

  • Status changed from New to In Review
  • Assignee set to Jeff Lucovsky
Actions #2

Updated by Shivani Bhardwaj over 3 years ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF