From ee0a403d88612c2e8320542e395979615e687b7f Mon Sep 17 00:00:00 2001
From: Tillson Galloway <tillsongalloway@gmail.com>
Date: Sun, 18 Jun 2023 20:57:59 -0400
Subject: [PATCH 1/4] Use Zeek 5 syntax for table definition

---
 scripts/rdfp.zeek | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/scripts/rdfp.zeek b/scripts/rdfp.zeek
index b846769..2f27592 100644
--- a/scripts/rdfp.zeek
+++ b/scripts/rdfp.zeek
@@ -39,15 +39,15 @@ event zeek_init() {
 const negproto: table[count] of string &redef;
 
 redef negproto += {
-	[0] = ["RDP"],
-	[1] = ["SSL"],
-	[2] = ["HYBRID"],
-	[3] = ["Undefined"],
-	[4] = ["RDSTLS"],
-	[5] = ["undef5"],
-	[6] = ["undef6"],
-	[7] = ["undef8"],
-	[8] = ["HYBRID-EX"],
+    [0] = "RDP",
+    [1] = "SSL",
+    [2] = "HYBRID",
+    [3] = "Undefined",
+    [4] = "RDSTLS",
+    [5] = "undef5",
+    [6] = "undef6",
+    [7] = "undef8",
+    [8] = "HYBRID-EX",
 	
 };
 

From 1dc0849df0380c8979184bcadbeebb7ee99993ea Mon Sep 17 00:00:00 2001
From: Tillson Galloway <tillsongalloway@gmail.com>
Date: Sun, 18 Jun 2023 20:58:58 -0400
Subject: [PATCH 2/4] Add Azure AD protocol negotiation

---
 scripts/rdfp.zeek | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/rdfp.zeek b/scripts/rdfp.zeek
index 2f27592..a192013 100644
--- a/scripts/rdfp.zeek
+++ b/scripts/rdfp.zeek
@@ -48,7 +48,7 @@ redef negproto += {
     [6] = "undef6",
     [7] = "undef8",
     [8] = "HYBRID-EX",
-	
+	[0x10] = "RDSAAD"
 };
 
 event rdp_connect_request(c: connection, cookie: string) &priority=5

From dd93f2b48f74ebde9f54faf016dc864f5bb185bf Mon Sep 17 00:00:00 2001
From: Tillson Galloway <tillson@users.noreply.github.com>
Date: Sun, 18 Jun 2023 21:00:23 -0400
Subject: [PATCH 3/4] Update rdfp.zeek

---
 scripts/rdfp.zeek | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/rdfp.zeek b/scripts/rdfp.zeek
index a192013..1cb2959 100644
--- a/scripts/rdfp.zeek
+++ b/scripts/rdfp.zeek
@@ -48,7 +48,7 @@ redef negproto += {
     [6] = "undef6",
     [7] = "undef8",
     [8] = "HYBRID-EX",
-	[0x10] = "RDSAAD"
+    [16] = "RDSAAD"
 };
 
 event rdp_connect_request(c: connection, cookie: string) &priority=5

From 657b79f30b3c0db2b8edfee57c78acafbf4b2f0e Mon Sep 17 00:00:00 2001
From: Tillson Galloway <tillsongalloway@gmail.com>
Date: Tue, 20 Jun 2023 15:44:58 -0400
Subject: [PATCH 4/4] Style adjustments

---
 scripts/rdfp.zeek | 146 +++++++++++++++++++++++-----------------------
 1 file changed, 73 insertions(+), 73 deletions(-)

diff --git a/scripts/rdfp.zeek b/scripts/rdfp.zeek
index a192013..4a1d430 100644
--- a/scripts/rdfp.zeek
+++ b/scripts/rdfp.zeek
@@ -6,23 +6,21 @@
 module RDPrinting;
 
 export {
-
 	redef enum Log::ID += { RDFP };
 }
 
-	type RDPFPStorage: record {
-		id:		conn_id &log &optional;
-       		cookie:		string &log &optional;
-		verMajor:	int &default=0 &log;
-       		verMinor:	int &default=0 &log;
-       		clusterFlags:	string &default="" &log;
-       		encMethods:	string &default="" &log;
-       		extEncMethods:	string &default="" &log;
-       		channelDef:	string &default="" &log;
-       		rdfp_string:	string &default="" &log;
-       		rdfp_hash:	string &default="" &log;
-
-  };
+type RDPFPStorage: record {
+	id: conn_id &log &optional;
+	cookie:		string &log &optional;
+	verMajor:	int &default=0 &log;
+	verMinor:	int &default=0 &log;
+	clusterFlags:	string &default="" &log;
+	encMethods:	string &default="" &log;
+	extEncMethods:	string &default="" &log;
+	channelDef:	string &default="" &log;
+	rdfp_string:	string &default="" &log;
+	rdfp_hash:	string &default="" &log;
+};
 
 
 redef record connection += {
@@ -48,77 +46,79 @@ redef negproto += {
     [6] = "undef6",
     [7] = "undef8",
     [8] = "HYBRID-EX",
-	[0x10] = "RDSAAD"
+	[16] = "RDSAAD"
 };
 
 event rdp_connect_request(c: connection, cookie: string) &priority=5
-{
-if ( !c?$rdfp )
-	c$rdfp = RDPFPStorage();
-c$rdfp$id = c$id;
-c$rdfp$cookie = cookie;
-}
+	{
+	if ( !c?$rdfp )
+		c$rdfp = RDPFPStorage();
+
+	c$rdfp$id = c$id;
+	c$rdfp$cookie = cookie;
+	}
 
 event rdp_client_core_data(c: connection, data: RDP::ClientCoreData) &priority=5
-{
-if ( !c?$rdfp )
-        c$rdfp = RDPFPStorage();
+	{
+	if ( !c?$rdfp )
+		c$rdfp = RDPFPStorage();
 
-c$rdfp$verMajor = data$version_major;
-c$rdfp$verMinor = data$version_minor;
-}
+	c$rdfp$verMajor = data$version_major;
+	c$rdfp$verMinor = data$version_minor;
+	}
 
 event rdp_client_cluster_data(c: connection, data: RDP::ClientClusterData)
-{
-if ( !c?$rdfp )
-        c$rdfp = RDPFPStorage();
-c$rdfp$clusterFlags = fmt("%08x",data$flags);
-}
+	{
+	if ( !c?$rdfp )
+		c$rdfp = RDPFPStorage();
+
+	c$rdfp$clusterFlags = fmt("%08x",data$flags);
+	}
 
 event rdp_client_security_data(c: connection, data: RDP::ClientSecurityData)
-{
-if ( !c?$rdfp )
-        c$rdfp = RDPFPStorage();
-local encMethod = fmt("%08x",data$encryption_methods);
-c$rdfp$encMethods = encMethod;
-c$rdfp$extEncMethods = fmt("%08x",data$ext_encryption_methods);
-}
+	{
+	if ( !c?$rdfp )
+		c$rdfp = RDPFPStorage();
 
+	local encMethod = fmt("%08x",data$encryption_methods);
+	c$rdfp$encMethods = encMethod;
+	c$rdfp$extEncMethods = fmt("%08x",data$ext_encryption_methods);
+	}
 
-event rdp_client_network_data(c: connection, channels: RDP::ClientChannelList)
-{
-if ( !c?$rdfp )
-        c$rdfp = RDPFPStorage();
-for ( i in channels ) {
-  if ( c$rdfp$channelDef == "" )
-    {
-    c$rdfp$channelDef = fmt("%s:%08x", gsub(channels[i]$name,/\x00/,""), channels[i]$options);
-    }
-  else {
-    c$rdfp$channelDef += fmt("%s%s:%08x", sep, gsub(channels[i]$name,/\x00/,""), channels[i]$options);
-
-    }
-  }
-}
 
-##          RDFP = md5(verMajor;verMinor;clusterFlags;encryptionMethods;extEncMethods;channelDef)
+event rdp_client_network_data(c: connection, channels: RDP::ClientChannelList)
+	{
+	if ( !c?$rdfp )
+		c$rdfp = RDPFPStorage();
+
+	for ( i in channels )
+		{
+		if ( c$rdfp$channelDef == "" )
+			c$rdfp$channelDef = fmt("%s:%08x", gsub(channels[i]$name,/\x00/,""), channels[i]$options);
+		else
+			c$rdfp$channelDef += fmt("%s%s:%08x", sep, gsub(channels[i]$name,/\x00/,""), channels[i]$options);
+		}
+	}
 
 event rdp_begin_encryption(c: connection, security_protocol: count)
-{
-if ( !c?$rdfp )
-	c$rdfp = RDPFPStorage();
-local myproto = cat(negproto[security_protocol]);
-if( c?$rdfp ) {
-local rdfp_string = join_string_vec(vector(cat(c$rdfp$verMajor),
-					cat(c$rdfp$verMinor),
-					c$rdfp$encMethods,
-					c$rdfp$clusterFlags,
-					cat(c$rdfp$extEncMethods),
-					c$rdfp$channelDef
-					), rdfp_sep);
-c$rdfp$rdfp_hash = md5_hash(rdfp_string);
-c$rdfp$rdfp_string = rdfp_string;
-c$rdfp$id = c$id;
-   Log::write(RDPrinting::RDFP, c$rdfp);
-  }
-}
+	{
+	if ( !c?$rdfp )
+		c$rdfp = RDPFPStorage();
+
+	local myproto = cat(negproto[security_protocol]);
+
+	if ( c?$rdfp )
+		{
+		local rdfp_string = join_string_vec(vector(cat(c$rdfp$verMajor),
+							cat(c$rdfp$verMinor),
+							c$rdfp$encMethods,
+							c$rdfp$clusterFlags,
+							cat(c$rdfp$extEncMethods),
+							c$rdfp$channelDef
+							), rdfp_sep);
+		c$rdfp$rdfp_hash = md5_hash(rdfp_string);
+		c$rdfp$rdfp_string = rdfp_string;
+		c$rdfp$id = c$id;
+		Log::write(RDPrinting::RDFP, c$rdfp);
+		}
+	}