forked from mushorg/go-dpi
/
rdp.go
38 lines (33 loc) · 1.12 KB
/
rdp.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
package classifiers
import (
"encoding/binary"
"strings"
"github.com/google/gopacket"
"github.com/google/gopacket/layers"
"github.com/nayyara-samuel/go-dpi/types"
)
// RDPClassifier struct
type RDPClassifier struct{}
// HeuristicClassify for RDPClassifier
func (classifier RDPClassifier) HeuristicClassify(flow *types.Flow) bool {
return checkFirstPayload(flow.GetPackets(), layers.LayerTypeTCP,
func(payload []byte, packetsRest []gopacket.Packet) bool {
if len(payload) < 20 {
return false
}
tpktLen := int(binary.BigEndian.Uint16(payload[2:4]))
// check TPKT header
isValidTpkt := payload[0] == 3 && payload[1] == 0 && tpktLen == len(payload)
// check COTP header
isValidCotp := int(payload[4]) == len(payload[5:]) && payload[5] == 0xE0
// check RDP payload
rdpPayloadStr := string(payload[11:])
isValidRdp := strings.Contains(rdpPayloadStr, "mstshash=") ||
strings.Contains(rdpPayloadStr, "msts=")
return isValidTpkt && isValidCotp && isValidRdp
})
}
// GetProtocol returns the corresponding protocol
func (classifier RDPClassifier) GetProtocol() types.Protocol {
return types.RDP
}