base/bif/plugins/Zeek_RDP.events.bif.zeek
- GLOBAL
- Namespace:
GLOBAL
Summary
Events
Generated when an RDP session becomes encrypted. |
|
Generated for client cluster data packets. |
|
Generated for MCS client requests. |
|
Generated for Client Network Data (TS_UD_CS_NET) packets |
|
Generated for client security data packets. |
|
Generated for X.224 client requests. |
|
Generated for MCS server responses. |
|
Generated for each packet after RDP native encryption begins |
|
Generated for RDP Negotiation Failure messages. |
|
Generated for RDP Negotiation Response messages. |
|
Generated for a server certificate section. |
|
Generated for MCS server responses. |
|
Generated when for data messages exchanged after a RDPEUDP connection establishes |
|
Generated when RDPEUDP connections are established (both sides SYN) |
|
Generated for RDPEUDP SYN UDP Datagram |
|
Generated for RDPEUDP SYNACK UDP Datagram |
Detailed Interface
Events
- rdp_begin_encryption
- Type:
event(c:connection, security_protocol:count)
Generated when an RDP session becomes encrypted.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
security_protocol – The security protocol being used for the session.
- rdp_client_cluster_data
- Type:
event(c:connection, data:RDP::ClientClusterData)
Generated for client cluster data packets.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
data – The data contained in the client security data structure.
- rdp_client_core_data
- Type:
event(c:connection, data:RDP::ClientCoreData)
Generated for MCS client requests.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
data – The data contained in the client core data structure.
- rdp_client_network_data
- Type:
event(c:connection, channels:RDP::ClientChannelList)
Generated for Client Network Data (TS_UD_CS_NET) packets
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
channels – The channels that were requested
- rdp_client_security_data
- Type:
event(c:connection, data:RDP::ClientSecurityData)
Generated for client security data packets.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
data – The data contained in the client security data structure.
- rdp_connect_request
- Type:
event(c:connection, cookie:string, flags:count)- Type:
event(c:connection, cookie:string)
Generated for X.224 client requests.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
cookie – The cookie included in the request; empty if no cookie was provided.
flags – The flags set by the client.
- rdp_gcc_server_create_response
- Type:
event(c:connection, result:count)
Generated for MCS server responses.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
result – The 8-bit integer representing the GCC Conference Create Response result.
- rdp_native_encrypted_data
- Type:
event(c:connection, orig:bool, len:count)
Generated for each packet after RDP native encryption begins
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
orig – True if the packet was sent by the originator of the connection.
len – The length of the encrypted data.
- rdp_negotiation_failure
- Type:
event(c:connection, failure_code:count, flags:count)- Type:
event(c:connection, failure_code:count)
Generated for RDP Negotiation Failure messages.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
failure_code – The failure code sent by the server.
flags – The flags set by the server.
- rdp_negotiation_response
- Type:
event(c:connection, security_protocol:count, flags:count)- Type:
event(c:connection, security_protocol:count)
Generated for RDP Negotiation Response messages.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
security_protocol – The security protocol selected by the server.
flags – The flags set by the server.
- rdp_server_certificate
- Type:
event(c:connection, cert_type:count, permanently_issued:bool)
Generated for a server certificate section. If multiple X.509 certificates are included in chain, this event will still only be generated a single time.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
cert_type – Indicates the type of certificate.
permanently_issued – Value will be true is the certificate(s) is permanent on the server.
- rdp_server_security
- Type:
event(c:connection, encryption_method:count, encryption_level:count)
Generated for MCS server responses.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
encryption_method – The 32-bit integer representing the encryption method used in the connection.
encryption_level – The 32-bit integer representing the encryption level used in the connection.
- rdpeudp_data
- Type:
event(c:connection, is_orig:bool, version:count, data:string)
Generated when for data messages exchanged after a RDPEUDP connection establishes
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
is_orig – Whether the data was sent by the originator or responder of the connection.
version – Whether the connection is RDPEUDP1 or RDPEUDP2
data – The payload of the packet. This is probably very non-performant.
- rdpeudp_established
- Type:
event(c:connection, version:count)
Generated when RDPEUDP connections are established (both sides SYN)
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
version – Whether the connection is RDPEUDP1 or RDPEUDP2
- rdpeudp_syn
- Type:
event(c:connection)
Generated for RDPEUDP SYN UDP Datagram
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
- rdpeudp_synack
- Type:
event(c:connection)
Generated for RDPEUDP SYNACK UDP Datagram
- Parameters:
c – The connection record for the underlying transport-layer session/flow.