base/protocols/rdp/main.zeek
- RDP
Implements base functionality for RDP analysis. Generates the rdp.log file.
- Namespace
RDP
- Imports
base/protocols/conn/removal-hooks.zeek, base/protocols/rdp/consts.zeek
Summary
Runtime Options
If true, detach the RDP analyzer from the connection to prevent continuing to process encrypted traffic. |
|
The amount of time to monitor an RDP session from when it is first identified. |
Types
Redefinitions
|
|
Events
Event that can be handled to access the rdp record as it is sent on to the logging framework. |
Hooks
RDP finalization hook. |
|
Detailed Interface
Runtime Options
- RDP::disable_analyzer_after_detection
-
If true, detach the RDP analyzer from the connection to prevent continuing to process encrypted traffic.
- RDP::rdp_check_interval
-
The amount of time to monitor an RDP session from when it is first identified. When this interval is reached, the session is logged.
Types
- RDP::Info
- Type
-
- ts:
time
&log
Timestamp for when the event happened.
- uid:
string
&log
Unique ID for the connection.
- id:
conn_id
&log
The connection’s 4-tuple of endpoint addresses/ports.
- cookie:
string
&log
&optional
Cookie value used by the client machine. This is typically a username.
- result:
string
&log
&optional
Status result for the connection. It’s a mix between RDP negotiation failure messages and GCC server create response messages.
- security_protocol:
string
&log
&optional
Security protocol chosen by the server.
- client_channels:
vector
ofstring
&log
&optional
The channels requested by the client
- keyboard_layout:
string
&log
&optional
Keyboard layout (language) of the client machine.
- client_build:
string
&log
&optional
RDP client version used by the client machine.
- client_name:
string
&log
&optional
Name of the client machine.
- client_dig_product_id:
string
&log
&optional
Product ID of the client machine.
- desktop_width:
count
&log
&optional
Desktop width of the client machine.
- desktop_height:
count
&log
&optional
Desktop height of the client machine.
- requested_color_depth:
string
&log
&optional
The color depth requested by the client in the high_color_depth field.
- cert_type:
string
&log
&optional
If the connection is being encrypted with native RDP encryption, this is the type of cert being used.
- cert_count:
count
&log
&default
=0
&optional
The number of certs seen. X.509 can transfer an entire certificate chain.
- cert_permanent:
bool
&log
&optional
Indicates if the provided certificate or certificate chain is permanent or temporary.
- encryption_level:
string
&log
&optional
Encryption level of the connection.
- encryption_method:
string
&log
&optional
Encryption method of the connection.
- analyzer_id:
count
&optional
The analyzer ID used for the analyzer instance attached to each connection. It is not used for logging since it’s a meaningless arbitrary number.
- done:
bool
&default
=F
&optional
Track status of logging RDP connections.
- ssl:
bool
&log
&default
=F
&optional
(present if policy/protocols/rdp/indicate_ssl.zeek is loaded)
Flag the connection if it was seen over SSL.
- ts:
Events
- RDP::log_rdp
-
Event that can be handled to access the rdp record as it is sent on to the logging framework.
Hooks
- RDP::finalize_rdp
- Type
RDP finalization hook. Remaining RDP info may get logged when it’s called.