base/protocols/rdp/main.zeek¶
-
RDP
¶
Implements base functionality for RDP analysis. Generates the rdp.log file.
Namespace: | RDP |
---|---|
Imports: | base/protocols/rdp/consts.zeek |
Summary¶
Runtime Options¶
RDP::disable_analyzer_after_detection : bool &redef |
If true, detach the RDP analyzer from the connection to prevent continuing to process encrypted traffic. |
RDP::rdp_check_interval : interval &redef |
The amount of time to monitor an RDP session from when it is first identified. |
Redefinitions¶
Log::ID : enum |
|
RDP::Info : record |
|
connection : record |
|
likely_server_ports : set &redef |
Events¶
RDP::log_rdp : event |
Event that can be handled to access the rdp record as it is sent on to the logging framework. |
Detailed Interface¶
Runtime Options¶
Types¶
-
RDP::Info
¶ Type: - ts:
time
&log
Timestamp for when the event happened.
- uid:
string
&log
Unique ID for the connection.
- id:
conn_id
&log
The connection’s 4-tuple of endpoint addresses/ports.
- cookie:
string
&log
&optional
Cookie value used by the client machine. This is typically a username.
- result:
string
&log
&optional
Status result for the connection. It’s a mix between RDP negotation failure messages and GCC server create response messages.
- security_protocol:
string
&log
&optional
Security protocol chosen by the server.
- client_channels:
vector
ofstring
&log
&optional
The channels requested by the client
- keyboard_layout:
string
&log
&optional
Keyboard layout (language) of the client machine.
- client_build:
string
&log
&optional
RDP client version used by the client machine.
- client_name:
string
&log
&optional
Name of the client machine.
- client_dig_product_id:
string
&log
&optional
Product ID of the client machine.
- desktop_width:
count
&log
&optional
Desktop width of the client machine.
- desktop_height:
count
&log
&optional
Desktop height of the client machine.
- requested_color_depth:
string
&log
&optional
The color depth requested by the client in the high_color_depth field.
- cert_type:
string
&log
&optional
If the connection is being encrypted with native RDP encryption, this is the type of cert being used.
- cert_count:
count
&log
&default
=0
&optional
The number of certs seen. X.509 can transfer an entire certificate chain.
- cert_permanent:
bool
&log
&optional
Indicates if the provided certificate or certificate chain is permanent or temporary.
- encryption_level:
string
&log
&optional
Encryption level of the connection.
- encryption_method:
string
&log
&optional
Encryption method of the connection.
- analyzer_id:
count
&optional
The analyzer ID used for the analyzer instance attached to each connection. It is not used for logging since it’s a meaningless arbitrary number.
- done:
bool
&default
=F
&optional
Track status of logging RDP connections.
- ssl:
bool
&log
&default
=F
&optional
(present if policy/protocols/rdp/indicate_ssl.zeek is loaded)
Flag the connection if it was seen over SSL.
- ts: