base/bif/plugins/Zeek_RDP.events.bif.zeek¶
-
GLOBAL¶
- Namespace
GLOBAL
Summary¶
Events¶
Generated when an RDP session becomes encrypted. |
|
Generated for client cluster data packets. |
|
Generated for MCS client requests. |
|
Generated for Client Network Data (TS_UD_CS_NET) packets |
|
Generated for client security data packets. |
|
Generated for X.224 client requests. |
|
Generated for MCS server responses. |
|
Generated for each packet after RDP native encryption begins |
|
Generated for RDP Negotiation Failure messages. |
|
Generated for RDP Negotiation Response messages. |
|
Generated for a server certificate section. |
|
Generated for MCS server responses. |
|
Generated when for data messages exchanged after a RDPEUDP connection establishes |
|
Generated when RDPEUDP connections are established (both sides SYN) |
|
Generated for RDPEUDP SYN UDP Datagram |
|
Generated for RDPEUDP SYNACK UDP Datagram |
Detailed Interface¶
Events¶
-
rdp_begin_encryption¶ - Type
event(c:connection, security_protocol:count)
Generated when an RDP session becomes encrypted.
- C
The connection record for the underlying transport-layer session/flow.
- Security_protocol
The security protocol being used for the session.
-
rdp_client_cluster_data¶ - Type
event(c:connection, data:RDP::ClientClusterData)
Generated for client cluster data packets.
- C
The connection record for the underlying transport-layer session/flow.
- Data
The data contained in the client security data structure.
-
rdp_client_core_data¶ - Type
event(c:connection, data:RDP::ClientCoreData)
Generated for MCS client requests.
- C
The connection record for the underlying transport-layer session/flow.
- Data
The data contained in the client core data structure.
-
rdp_client_network_data¶ - Type
event(c:connection, channels:RDP::ClientChannelList)
Generated for Client Network Data (TS_UD_CS_NET) packets
- C
The connection record for the underlying transport-layer session/flow.
- Channels
The channels that were requested
-
rdp_client_security_data¶ - Type
event(c:connection, data:RDP::ClientSecurityData)
Generated for client security data packets.
- C
The connection record for the underlying transport-layer session/flow.
- Data
The data contained in the client security data structure.
-
rdp_connect_request¶ - Type
event(c:connection, cookie:string, flags:count)- Type
event(c:connection, cookie:string)
Generated for X.224 client requests.
- C
The connection record for the underlying transport-layer session/flow.
- Cookie
The cookie included in the request.
- Flags
The flags set by the client.
-
rdp_gcc_server_create_response¶ - Type
event(c:connection, result:count)
Generated for MCS server responses.
- C
The connection record for the underlying transport-layer session/flow.
- Result
The 8-bit integer representing the GCC Conference Create Response result.
-
rdp_native_encrypted_data¶ - Type
event(c:connection, orig:bool, len:count)
Generated for each packet after RDP native encryption begins
- C
The connection record for the underlying transport-layer session/flow.
- Orig
True if the packet was sent by the originator of the connection.
- Len
The length of the encrypted data.
-
rdp_negotiation_failure¶ - Type
event(c:connection, failure_code:count, flags:count)- Type
event(c:connection, failure_code:count)
Generated for RDP Negotiation Failure messages.
- C
The connection record for the underlying transport-layer session/flow.
- Failure_code
The failure code sent by the server.
- Flags
The flags set by the server.
-
rdp_negotiation_response¶ - Type
event(c:connection, security_protocol:count, flags:count)- Type
event(c:connection, security_protocol:count)
Generated for RDP Negotiation Response messages.
- C
The connection record for the underlying transport-layer session/flow.
- Security_protocol
The security protocol selected by the server.
- Flags
The flags set by the server.
-
rdp_server_certificate¶ - Type
event(c:connection, cert_type:count, permanently_issued:bool)
Generated for a server certificate section. If multiple X.509 certificates are included in chain, this event will still only be generated a single time.
- C
The connection record for the underlying transport-layer session/flow.
- Cert_type
Indicates the type of certificate.
- Permanently_issued
Value will be true is the certificate(s) is permanent on the server.
-
rdp_server_security¶ - Type
event(c:connection, encryption_method:count, encryption_level:count)
Generated for MCS server responses.
- C
The connection record for the underlying transport-layer session/flow.
- Encryption_method
The 32-bit integer representing the encryption method used in the connection.
- Encryption_level
The 32-bit integer representing the encryption level used in the connection.
-
rdpeudp_data¶ - Type
event(c:connection, is_orig:bool, version:count, data:string)
Generated when for data messages exchanged after a RDPEUDP connection establishes
- C
The connection record for the underlying transport-layer session/flow.
- Is_orig
Whether the data was sent by the originator or responder of the connection.
- Version
Whether the connection is RDPEUDP1 or RDPEUDP2
- Data
The payload of the packet. This is probably very non-performant.
-
rdpeudp_established¶ - Type
event(c:connection, version:count)
Generated when RDPEUDP connections are established (both sides SYN)
- C
The connection record for the underlying transport-layer session/flow.
- Version
Whether the connection is RDPEUDP1 or RDPEUDP2
-
rdpeudp_syn¶ - Type
event(c:connection)
Generated for RDPEUDP SYN UDP Datagram
- C
The connection record for the underlying transport-layer session/flow.
-
rdpeudp_synack¶ - Type
event(c:connection)
Generated for RDPEUDP SYNACK UDP Datagram
- C
The connection record for the underlying transport-layer session/flow.