base/protocols/rdp/main.zeek

RDP

Implements base functionality for RDP analysis. Generates the rdp.log file.

Namespace:RDP
Imports:base/protocols/rdp/consts.zeek

Summary

Runtime Options

RDP::disable_analyzer_after_detection: bool &redef If true, detach the RDP analyzer from the connection to prevent continuing to process encrypted traffic.
RDP::rdp_check_interval: interval &redef The amount of time to monitor an RDP session from when it is first identified.

Types

RDP::Info: record  

Events

RDP::log_rdp: event Event that can be handled to access the rdp record as it is sent on to the logging framework.

Detailed Interface

Runtime Options

RDP::disable_analyzer_after_detection
Type:bool
Attributes:&redef
Default:F

If true, detach the RDP analyzer from the connection to prevent continuing to process encrypted traffic.

RDP::rdp_check_interval
Type:interval
Attributes:&redef
Default:10.0 secs

The amount of time to monitor an RDP session from when it is first identified. When this interval is reached, the session is logged.

Types

RDP::Info
Type:

record

ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

cookie: string &log &optional

Cookie value used by the client machine. This is typically a username.

result: string &log &optional

Status result for the connection. It’s a mix between RDP negotation failure messages and GCC server create response messages.

security_protocol: string &log &optional

Security protocol chosen by the server.

client_channels: vector of string &log &optional

The channels requested by the client

keyboard_layout: string &log &optional

Keyboard layout (language) of the client machine.

client_build: string &log &optional

RDP client version used by the client machine.

client_name: string &log &optional

Name of the client machine.

client_dig_product_id: string &log &optional

Product ID of the client machine.

desktop_width: count &log &optional

Desktop width of the client machine.

desktop_height: count &log &optional

Desktop height of the client machine.

requested_color_depth: string &log &optional

The color depth requested by the client in the high_color_depth field.

cert_type: string &log &optional

If the connection is being encrypted with native RDP encryption, this is the type of cert being used.

cert_count: count &log &default = 0 &optional

The number of certs seen. X.509 can transfer an entire certificate chain.

cert_permanent: bool &log &optional

Indicates if the provided certificate or certificate chain is permanent or temporary.

encryption_level: string &log &optional

Encryption level of the connection.

encryption_method: string &log &optional

Encryption method of the connection.

analyzer_id: count &optional

The analyzer ID used for the analyzer instance attached to each connection. It is not used for logging since it’s a meaningless arbitrary number.

done: bool &default = F &optional

Track status of logging RDP connections.

ssl: bool &log &default = F &optional

(present if policy/protocols/rdp/indicate_ssl.zeek is loaded)

Flag the connection if it was seen over SSL.

Events

RDP::log_rdp
Type:event (rec: RDP::Info)

Event that can be handled to access the rdp record as it is sent on to the logging framework.