base/bif/plugins/Zeek_RDP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary

Events

rdp_begin_encryption: event

Generated when an RDP session becomes encrypted.

rdp_client_cluster_data: event

Generated for client cluster data packets.

rdp_client_core_data: event

Generated for MCS client requests.

rdp_client_network_data: event

Generated for Client Network Data (TS_UD_CS_NET) packets

rdp_client_security_data: event

Generated for client security data packets.

rdp_connect_request: event

Generated for X.224 client requests.

rdp_gcc_server_create_response: event

Generated for MCS server responses.

rdp_native_encrypted_data: event

Generated for each packet after RDP native encryption begins

rdp_negotiation_failure: event

Generated for RDP Negotiation Failure messages.

rdp_negotiation_response: event

Generated for RDP Negotiation Response messages.

rdp_server_certificate: event

Generated for a server certificate section.

rdp_server_security: event

Generated for MCS server responses.

rdpeudp_data: event

Generated when for data messages exchanged after a RDPEUDP connection establishes

rdpeudp_established: event

Generated when RDPEUDP connections are established (both sides SYN)

rdpeudp_syn: event

Generated for RDPEUDP SYN UDP Datagram

rdpeudp_synack: event

Generated for RDPEUDP SYNACK UDP Datagram

Detailed Interface

Events

rdp_begin_encryption
Type

event (c: connection, security_protocol: count)

Generated when an RDP session becomes encrypted.

Parameters
  • c – The connection record for the underlying transport-layer session/flow.

  • security_protocol – The security protocol being used for the session.

rdp_client_cluster_data
Type

event (c: connection, data: RDP::ClientClusterData)

Generated for client cluster data packets.

Parameters
  • c – The connection record for the underlying transport-layer session/flow.

  • data – The data contained in the client security data structure.

rdp_client_core_data
Type

event (c: connection, data: RDP::ClientCoreData)

Generated for MCS client requests.

Parameters
  • c – The connection record for the underlying transport-layer session/flow.

  • data – The data contained in the client core data structure.

rdp_client_network_data
Type

event (c: connection, channels: RDP::ClientChannelList)

Generated for Client Network Data (TS_UD_CS_NET) packets

Parameters
  • c – The connection record for the underlying transport-layer session/flow.

  • channels – The channels that were requested

rdp_client_security_data
Type

event (c: connection, data: RDP::ClientSecurityData)

Generated for client security data packets.

Parameters
  • c – The connection record for the underlying transport-layer session/flow.

  • data – The data contained in the client security data structure.

rdp_connect_request
Type

event (c: connection, cookie: string, flags: count)

Type

event (c: connection, cookie: string)

Generated for X.224 client requests.

Parameters
  • c – The connection record for the underlying transport-layer session/flow.

  • cookie – The cookie included in the request.

  • flags – The flags set by the client.

rdp_gcc_server_create_response
Type

event (c: connection, result: count)

Generated for MCS server responses.

Parameters
  • c – The connection record for the underlying transport-layer session/flow.

  • result – The 8-bit integer representing the GCC Conference Create Response result.

rdp_native_encrypted_data
Type

event (c: connection, orig: bool, len: count)

Generated for each packet after RDP native encryption begins

Parameters
  • c – The connection record for the underlying transport-layer session/flow.

  • orig – True if the packet was sent by the originator of the connection.

  • len – The length of the encrypted data.

rdp_negotiation_failure
Type

event (c: connection, failure_code: count, flags: count)

Type

event (c: connection, failure_code: count)

Generated for RDP Negotiation Failure messages.

Parameters
  • c – The connection record for the underlying transport-layer session/flow.

  • failure_code – The failure code sent by the server.

  • flags – The flags set by the server.

rdp_negotiation_response
Type

event (c: connection, security_protocol: count, flags: count)

Type

event (c: connection, security_protocol: count)

Generated for RDP Negotiation Response messages.

Parameters
  • c – The connection record for the underlying transport-layer session/flow.

  • security_protocol – The security protocol selected by the server.

  • flags – The flags set by the server.

rdp_server_certificate
Type

event (c: connection, cert_type: count, permanently_issued: bool)

Generated for a server certificate section. If multiple X.509 certificates are included in chain, this event will still only be generated a single time.

Parameters
  • c – The connection record for the underlying transport-layer session/flow.

  • cert_type – Indicates the type of certificate.

  • permanently_issued – Value will be true is the certificate(s) is permanent on the server.

rdp_server_security
Type

event (c: connection, encryption_method: count, encryption_level: count)

Generated for MCS server responses.

Parameters
  • c – The connection record for the underlying transport-layer session/flow.

  • encryption_method – The 32-bit integer representing the encryption method used in the connection.

  • encryption_level – The 32-bit integer representing the encryption level used in the connection.

rdpeudp_data
Type

event (c: connection, is_orig: bool, version: count, data: string)

Generated when for data messages exchanged after a RDPEUDP connection establishes

Parameters
  • c – The connection record for the underlying transport-layer session/flow.

  • is_orig – Whether the data was sent by the originator or responder of the connection.

  • version – Whether the connection is RDPEUDP1 or RDPEUDP2

  • data – The payload of the packet. This is probably very non-performant.

rdpeudp_established
Type

event (c: connection, version: count)

Generated when RDPEUDP connections are established (both sides SYN)

Parameters
  • c – The connection record for the underlying transport-layer session/flow.

  • version – Whether the connection is RDPEUDP1 or RDPEUDP2

rdpeudp_syn
Type

event (c: connection)

Generated for RDPEUDP SYN UDP Datagram

Parameters

c – The connection record for the underlying transport-layer session/flow.

rdpeudp_synack
Type

event (c: connection)

Generated for RDPEUDP SYNACK UDP Datagram

Parameters

c – The connection record for the underlying transport-layer session/flow.