base/bif/plugins/Zeek_RDP.events.bif.zeek¶
-
GLOBAL
¶
- Namespace
GLOBAL
Summary¶
Events¶
Generated when an RDP session becomes encrypted. |
|
Generated for client cluster data packets. |
|
Generated for MCS client requests. |
|
Generated for Client Network Data (TS_UD_CS_NET) packets |
|
Generated for client security data packets. |
|
Generated for X.224 client requests. |
|
Generated for MCS server responses. |
|
Generated for each packet after RDP native encryption begins |
|
Generated for RDP Negotiation Failure messages. |
|
Generated for RDP Negotiation Response messages. |
|
Generated for a server certificate section. |
|
Generated for MCS server responses. |
|
Generated when for data messages exchanged after a RDPEUDP connection establishes |
|
Generated when RDPEUDP connections are established (both sides SYN) |
|
Generated for RDPEUDP SYN UDP Datagram |
|
Generated for RDPEUDP SYNACK UDP Datagram |
Detailed Interface¶
Events¶
-
rdp_begin_encryption
¶ - Type
event
(c:connection
, security_protocol:count
)
Generated when an RDP session becomes encrypted.
- C
The connection record for the underlying transport-layer session/flow.
- Security_protocol
The security protocol being used for the session.
-
rdp_client_cluster_data
¶ - Type
event
(c:connection
, data:RDP::ClientClusterData
)
Generated for client cluster data packets.
- C
The connection record for the underlying transport-layer session/flow.
- Data
The data contained in the client security data structure.
-
rdp_client_core_data
¶ - Type
event
(c:connection
, data:RDP::ClientCoreData
)
Generated for MCS client requests.
- C
The connection record for the underlying transport-layer session/flow.
- Data
The data contained in the client core data structure.
-
rdp_client_network_data
¶ - Type
event
(c:connection
, channels:RDP::ClientChannelList
)
Generated for Client Network Data (TS_UD_CS_NET) packets
- C
The connection record for the underlying transport-layer session/flow.
- Channels
The channels that were requested
-
rdp_client_security_data
¶ - Type
event
(c:connection
, data:RDP::ClientSecurityData
)
Generated for client security data packets.
- C
The connection record for the underlying transport-layer session/flow.
- Data
The data contained in the client security data structure.
-
rdp_connect_request
¶ - Type
event
(c:connection
, cookie:string
, flags:count
)- Type
event
(c:connection
, cookie:string
)
Generated for X.224 client requests.
- C
The connection record for the underlying transport-layer session/flow.
- Cookie
The cookie included in the request.
- Flags
The flags set by the client.
-
rdp_gcc_server_create_response
¶ - Type
event
(c:connection
, result:count
)
Generated for MCS server responses.
- C
The connection record for the underlying transport-layer session/flow.
- Result
The 8-bit integer representing the GCC Conference Create Response result.
-
rdp_native_encrypted_data
¶ - Type
event
(c:connection
, orig:bool
, len:count
)
Generated for each packet after RDP native encryption begins
- C
The connection record for the underlying transport-layer session/flow.
- Orig
True if the packet was sent by the originator of the connection.
- Len
The length of the encrypted data.
-
rdp_negotiation_failure
¶ - Type
event
(c:connection
, failure_code:count
, flags:count
)- Type
event
(c:connection
, failure_code:count
)
Generated for RDP Negotiation Failure messages.
- C
The connection record for the underlying transport-layer session/flow.
- Failure_code
The failure code sent by the server.
- Flags
The flags set by the server.
-
rdp_negotiation_response
¶ - Type
event
(c:connection
, security_protocol:count
, flags:count
)- Type
event
(c:connection
, security_protocol:count
)
Generated for RDP Negotiation Response messages.
- C
The connection record for the underlying transport-layer session/flow.
- Security_protocol
The security protocol selected by the server.
- Flags
The flags set by the server.
-
rdp_server_certificate
¶ - Type
event
(c:connection
, cert_type:count
, permanently_issued:bool
)
Generated for a server certificate section. If multiple X.509 certificates are included in chain, this event will still only be generated a single time.
- C
The connection record for the underlying transport-layer session/flow.
- Cert_type
Indicates the type of certificate.
- Permanently_issued
Value will be true is the certificate(s) is permanent on the server.
-
rdp_server_security
¶ - Type
event
(c:connection
, encryption_method:count
, encryption_level:count
)
Generated for MCS server responses.
- C
The connection record for the underlying transport-layer session/flow.
- Encryption_method
The 32-bit integer representing the encryption method used in the connection.
- Encryption_level
The 32-bit integer representing the encryption level used in the connection.
-
rdpeudp_data
¶ - Type
event
(c:connection
, is_orig:bool
, version:count
, data:string
)
Generated when for data messages exchanged after a RDPEUDP connection establishes
- C
The connection record for the underlying transport-layer session/flow.
- Is_orig
Whether the data was sent by the originator or responder of the connection.
- Version
Whether the connection is RDPEUDP1 or RDPEUDP2
- Data
The payload of the packet. This is probably very non-performant.
-
rdpeudp_established
¶ - Type
event
(c:connection
, version:count
)
Generated when RDPEUDP connections are established (both sides SYN)
- C
The connection record for the underlying transport-layer session/flow.
- Version
Whether the connection is RDPEUDP1 or RDPEUDP2
-
rdpeudp_syn
¶ - Type
event
(c:connection
)
Generated for RDPEUDP SYN UDP Datagram
- C
The connection record for the underlying transport-layer session/flow.
-
rdpeudp_synack
¶ - Type
event
(c:connection
)
Generated for RDPEUDP SYNACK UDP Datagram
- C
The connection record for the underlying transport-layer session/flow.