base/protocols/rdp/main.zeek

RDP

Implements base functionality for RDP analysis. Generates the rdp.log file.

Namespace

RDP

Imports

base/protocols/conn/removal-hooks.zeek, base/protocols/rdp/consts.zeek

Summary

Runtime Options

RDP::disable_analyzer_after_detection: bool &redef

If true, detach the RDP analyzer from the connection to prevent continuing to process encrypted traffic.

RDP::rdp_check_interval: interval &redef

The amount of time to monitor an RDP session from when it is first identified.

Types

RDP::Info: record

Redefinitions

Log::ID: enum

RDP::Info: record

New Fields

RDP::Info

analyzer_id: count &optional

The analyzer ID used for the analyzer instance attached to each connection.

done: bool &default = F &optional

Track status of logging RDP connections.

connection: record

New Fields

connection

rdp: RDP::Info &optional

likely_server_ports: set &redef

Events

RDP::log_rdp: event

Event that can be handled to access the rdp record as it is sent on to the logging framework.

Hooks

RDP::finalize_rdp: Conn::RemovalHook

RDP finalization hook.

RDP::log_policy: Log::PolicyHook

Detailed Interface

Runtime Options

RDP::disable_analyzer_after_detection
Type

bool

Attributes

&redef

Default

F

If true, detach the RDP analyzer from the connection to prevent continuing to process encrypted traffic.

RDP::rdp_check_interval
Type

interval

Attributes

&redef

Default

10.0 secs

The amount of time to monitor an RDP session from when it is first identified. When this interval is reached, the session is logged.

Types

RDP::Info
Type

record

ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

cookie: string &log &optional

Cookie value used by the client machine. This is typically a username.

result: string &log &optional

Status result for the connection. It’s a mix between RDP negotiation failure messages and GCC server create response messages.

security_protocol: string &log &optional

Security protocol chosen by the server.

client_channels: vector of string &log &optional

The channels requested by the client

keyboard_layout: string &log &optional

Keyboard layout (language) of the client machine.

client_build: string &log &optional

RDP client version used by the client machine.

client_name: string &log &optional

Name of the client machine.

client_dig_product_id: string &log &optional

Product ID of the client machine.

desktop_width: count &log &optional

Desktop width of the client machine.

desktop_height: count &log &optional

Desktop height of the client machine.

requested_color_depth: string &log &optional

The color depth requested by the client in the high_color_depth field.

cert_type: string &log &optional

If the connection is being encrypted with native RDP encryption, this is the type of cert being used.

cert_count: count &log &default = 0 &optional

The number of certs seen. X.509 can transfer an entire certificate chain.

cert_permanent: bool &log &optional

Indicates if the provided certificate or certificate chain is permanent or temporary.

encryption_level: string &log &optional

Encryption level of the connection.

encryption_method: string &log &optional

Encryption method of the connection.

analyzer_id: count &optional

The analyzer ID used for the analyzer instance attached to each connection. It is not used for logging since it’s a meaningless arbitrary number.

done: bool &default = F &optional

Track status of logging RDP connections.

ssl: bool &log &default = F &optional

(present if policy/protocols/rdp/indicate_ssl.zeek is loaded)

Flag the connection if it was seen over SSL.

Events

RDP::log_rdp
Type

event (rec: RDP::Info)

Event that can be handled to access the rdp record as it is sent on to the logging framework.

Hooks

RDP::finalize_rdp
Type

Conn::RemovalHook

RDP finalization hook. Remaining RDP info may get logged when it’s called.

RDP::log_policy
Type

Log::PolicyHook