# Who               When            What
# -----------------------------------------------------------------------------
# Abye Aytaged      05/10/2020      Initial commit - CVE_2019_0708 Detection. The
# portion of the RDP session that is likely to be exploited will be in clear text and
# involves creating a “Static Virtual Channel” named “MS_T120.” This module will
# log in notice.log whenever it detects an RDP channel with "MS_T120".
#
#
module RDP_CVE_2019_0708;

export {
    redef enum Log::ID += { LOG };
    redef enum Notice::Type += { Vulnerable_Version };

}

event rdp_client_network_data(c: connection, channels: RDP::ClientChannelList)
{
    for ( i in channels ) {
    	if ( channels[i]$name == "MS_T120\x00" )
    	{
        	NOTICE([$note=RDP_CVE_2019_0708::Vulnerable_Version,
        	$msg = fmt("RDP_CVE_2019_0708  - RDP connection setup with MS_T120 channel, potential CVE-2019-0708"),
        	$conn = c]);
    }
  }
}