main.zeek¶

RDP¶

Implements base functionality for RDP analysis. Generates the rdp.log file.

Namespace:	RDP
Imports:	base/protocols/rdp/consts.zeek

Summary¶

Runtime Options¶

`RDP::disable_analyzer_after_detection`: `bool` `&redef`	If true, detach the RDP analyzer from the connection to prevent continuing to process encrypted traffic.
`RDP::rdp_check_interval`: `interval` `&redef`	The amount of time to monitor an RDP session from when it is first identified.

Types¶

RDP::Info: record

Redefinitions¶

`Log::ID`: `enum`
`RDP::Info`: `record`
`connection`: `record`
`likely_server_ports`: `set` `&redef`

Events¶

RDP::log_rdp: event Event that can be handled to access the rdp record as it is sent on to the logging framework.

Detailed Interface¶

Runtime Options¶

RDP::disable_analyzer_after_detection¶

Type:	`bool`
Attributes:	`&redef`
Default:	`F`

If true, detach the RDP analyzer from the connection to prevent continuing to process encrypted traffic.

RDP::rdp_check_interval¶

Type:	`interval`
Attributes:	`&redef`
Default:	`10.0 secs`

The amount of time to monitor an RDP session from when it is first identified. When this interval is reached, the session is logged.

Types¶

RDP::Info¶

Type:

record

ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

cookie: string &log &optional

Cookie value used by the client machine. This is typically a username.

result: string &log &optional

Status result for the connection. It’s a mix between RDP negotation failure messages and GCC server create response messages.

security_protocol: string &log &optional

Security protocol chosen by the server.

keyboard_layout: string &log &optional

Keyboard layout (language) of the client machine.

client_build: string &log &optional

RDP client version used by the client machine.

client_name: string &log &optional

Name of the client machine.

client_dig_product_id: string &log &optional

Product ID of the client machine.

desktop_width: count &log &optional

Desktop width of the client machine.

desktop_height: count &log &optional

Desktop height of the client machine.

requested_color_depth: string &log &optional

The color depth requested by the client in the high_color_depth field.

cert_type: string &log &optional

If the connection is being encrypted with native RDP encryption, this is the type of cert being used.

cert_count: count &log &default = 0 &optional

The number of certs seen. X.509 can transfer an entire certificate chain.

cert_permanent: bool &log &optional

Indicates if the provided certificate or certificate chain is permanent or temporary.

encryption_level: string &log &optional

Encryption level of the connection.

encryption_method: string &log &optional

Encryption method of the connection.

analyzer_id: count &optional

The analyzer ID used for the analyzer instance attached to each connection. It is not used for logging since it’s a meaningless arbitrary number.

done: bool &default = F &optional

Track status of logging RDP connections.

ssl: bool &log &default = F &optional

(present if policy/protocols/rdp/indicate_ssl.zeek is loaded)

Flag the connection if it was seen over SSL.

Events¶

RDP::log_rdp¶

Type:	`event` (rec: `RDP::Info`)

Event that can be handled to access the rdp record as it is sent on to the logging framework.