main.zeek

RDP

Implements base functionality for RDP analysis. Generates the rdp.log file.

Namespace:: RDP
Imports:: base/protocols/conn/removal-hooks.zeek, base/protocols/rdp/consts.zeek

Summary

Runtime Options

`RDP::disable_analyzer_after_detection`: `bool` `&redef`	If true, detach the RDP analyzer from the connection to prevent continuing to process encrypted traffic.
`RDP::rdp_check_interval`: `interval` `&redef`	The amount of time to monitor an RDP session from when it is first identified.

Redefinable Options

`RDP::rdp_ports`: `set` `&redef`	Well-known ports for RDP.
`RDP::rdpeudp_ports`: `set` `&redef`	Well-known ports for RDP over UDP.

Types

RDP::Info: record

Redefinitions

`Log::ID`: `enum`	`RDP::LOG`
`RDP::Info`: `record`	New Fields: `RDP::Info` analyzer_id: `count` `&optional` The analyzer ID used for the analyzer instance attached to each connection. done: `bool` `&default` = `F` `&optional` Track status of logging RDP connections.
`connection`: `record`	New Fields: `connection` rdp: `RDP::Info` `&optional`

Events

RDP::log_rdp: event

Event that can be handled to access the rdp record as it is sent on to the logging framework.

Hooks

`RDP::finalize_rdp`: `Conn::RemovalHook`	RDP finalization hook.
`RDP::log_policy`: `Log::PolicyHook`

Detailed Interface

Runtime Options

RDP::disable_analyzer_after_detection 

Type:: bool
Attributes:: &redef
Default:: F

If true, detach the RDP analyzer from the connection to prevent continuing to process encrypted traffic.

RDP::rdp_check_interval 

Type:: interval
Attributes:: &redef
Default:: 10.0 secs

The amount of time to monitor an RDP session from when it is first identified. When this interval is reached, the session is logged.

Redefinable Options

RDP::rdp_ports 

Type:

set [port]

Attributes:

&redef

Default:

{
   3389/tcp
}

Well-known ports for RDP.

RDP::rdpeudp_ports 

Type:

set [port]

Attributes:

&redef

Default:

{
   3389/udp
}

Well-known ports for RDP over UDP.

Types

RDP::Info 

Type:

record

Fields:

ts: time &log: Timestamp for when the event happened.

uid: string &log: Unique ID for the connection.

id: conn_id &log: The connection’s 4-tuple of endpoint addresses/ports.

cookie: string &log &optional: Cookie value used by the client machine. This is typically a username, but note that it will often be truncated on the wire, to a maximum of 9 characters.

result: string &log &optional: Status result for the connection. It’s a mix between RDP negotiation failure messages and GCC server create response messages.

security_protocol: string &log &optional: Security protocol chosen by the server.

client_channels: vector of string &log &optional: The channels requested by the client

keyboard_layout: string &log &optional: Keyboard layout (language) of the client machine.

client_build: string &log &optional: RDP client version used by the client machine.

client_name: string &log &optional: Name of the client machine.

client_dig_product_id: string &log &optional: Product ID of the client machine.

desktop_width: count &log &optional: Desktop width of the client machine.

desktop_height: count &log &optional: Desktop height of the client machine.

requested_color_depth: string &log &optional: The color depth requested by the client in the high_color_depth field.

cert_type: string &log &optional: If the connection is being encrypted with native RDP encryption, this is the type of cert being used.

cert_count: count &log &default = 0 &optional: The number of certs seen. X.509 can transfer an entire certificate chain.

cert_permanent: bool &log &optional: Indicates if the provided certificate or certificate chain is permanent or temporary.

encryption_level: string &log &optional: Encryption level of the connection.

encryption_method: string &log &optional: Encryption method of the connection.

analyzer_id: count &optional: The analyzer ID used for the analyzer instance attached to each connection. It is not used for logging since it’s a meaningless arbitrary number.

done: bool &default = F &optional: Track status of logging RDP connections.

ssl: bool &log &default = F &optional

(present if policy/protocols/rdp/indicate_ssl.zeek is loaded)

Flag the connection if it was seen over SSL.

Events

RDP::log_rdp 

Type:: event (rec: RDP::Info)

Event that can be handled to access the rdp record as it is sent on to the logging framework.

Hooks

RDP::finalize_rdp 

Type:: Conn::RemovalHook

RDP finalization hook. Remaining RDP info may get logged when it’s called.

RDP::log_policy 

Type:: Log::PolicyHook