base/protocols/rdp/main.bro

RDP

Implements base functionality for RDP analysis. Generates the rdp.log file.

Namespace:RDP
Imports:base/protocols/rdp/consts.bro
Source File:/scripts/base/protocols/rdp/main.bro

Summary

Options

RDP::disable_analyzer_after_detection: bool &redef If true, detach the RDP analyzer from the connection to prevent continuing to process encrypted traffic.
RDP::rdp_check_interval: interval &redef The amount of time to monitor an RDP session from when it is first identified.

Types

RDP::Info: record  

Events

RDP::log_rdp: event Event that can be handled to access the rdp record as it is sent on to the logging framework.

Detailed Interface

Options

RDP::disable_analyzer_after_detection
Type:bool
Attributes:&redef
Default:F

If true, detach the RDP analyzer from the connection to prevent continuing to process encrypted traffic.

RDP::rdp_check_interval
Type:interval
Attributes:&redef
Default:10.0 secs

The amount of time to monitor an RDP session from when it is first identified. When this interval is reached, the session is logged.

Types

RDP::Info
Type:

record

ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

cookie: string &log &optional

Cookie value used by the client machine. This is typically a username.

result: string &log &optional

Status result for the connection. It’s a mix between RDP negotation failure messages and GCC server create response messages.

security_protocol: string &log &optional

Security protocol chosen by the server.

keyboard_layout: string &log &optional

Keyboard layout (language) of the client machine.

client_build: string &log &optional

RDP client version used by the client machine.

client_name: string &log &optional

Name of the client machine.

client_dig_product_id: string &log &optional

Product ID of the client machine.

desktop_width: count &log &optional

Desktop width of the client machine.

desktop_height: count &log &optional

Desktop height of the client machine.

requested_color_depth: string &log &optional

The color depth requested by the client in the high_color_depth field.

cert_type: string &log &optional

If the connection is being encrypted with native RDP encryption, this is the type of cert being used.

cert_count: count &log &default = 0 &optional

The number of certs seen. X.509 can transfer an entire certificate chain.

cert_permanent: bool &log &optional

Indicates if the provided certificate or certificate chain is permanent or temporary.

encryption_level: string &log &optional

Encryption level of the connection.

encryption_method: string &log &optional

Encryption method of the connection.

analyzer_id: count &optional

The analyzer ID used for the analyzer instance attached to each connection. It is not used for logging since it’s a meaningless arbitrary number.

done: bool &default = F &optional

Track status of logging RDP connections.

ssl: bool &log &default = F &optional

(present if policy/protocols/rdp/indicate_ssl.bro is loaded)

Flag the connection if it was seen over SSL.

Events

RDP::log_rdp
Type:event (rec: RDP::Info)

Event that can be handled to access the rdp record as it is sent on to the logging framework.

Copyright 2016, The Bro Project. Last updated on December 07, 2018. Created using Sphinx 1.8.2.