suricata/src/output-json-rfb.h

/* Copyright (C) 2020 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Frank Honza <frank.honza@dcso.de>
 */

#ifndef __OUTPUT_JSON_RFB_H__
#define __OUTPUT_JSON_RFB_H__

void JsonRFBLogRegister(void);

bool JsonRFBAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js);

#endif /* __OUTPUT_JSON_RFB_H__ */
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation. 6 years ago			`/* Copyright (C) 2020 Open Information Security Foundation`
			`*`
			`* You can copy, redistribute or modify this Program under the terms of`
			`* the GNU General Public License version 2 as published by the Free`
			`* Software Foundation.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* version 2 along with this program; if not, write to the Free Software`
			`* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA`
			`* 02110-1301, USA.`
			`*/`

			`/**`
			`* \file`
			`*`
			`* \author Frank Honza <frank.honza@dcso.de>`
			`*/`

			`#ifndef __OUTPUT_JSON_RFB_H__`
			`#define __OUTPUT_JSON_RFB_H__`

			`void JsonRFBLogRegister(void);`

rfb/eve: convert to jsonbuilder 5 years ago			`bool JsonRFBAddMetadata(const Flow f, uint64_t tx_id, JsonBuilder js);`
add RFB parser This commit adds support for the Remote Framebuffer Protocol (RFB) as used, for example, by various VNC implementations. It targets the official versions 3.3, 3.7 and 3.8 of the protocol and provides logging for the RFB handshake communication for now. Logged events include endpoint versions, details of the security (i.e. authentication) exchange as well as metadata about the image transfer parameters. Detection is enabled using keywords for: - rfb.name: Session name as sticky buffer - rfb.sectype: Security type, e.g. VNC-style challenge-response - rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ... The latter could be used, for example, to detect brute-force attempts on open VNC servers, while the name could be used to map unwanted VNC sessions to the desktop owners or machines. We also ship example EVE-JSON output and keyword docs as part of the Sphinx source for Suricata's RTD documentation. 6 years ago
			`#endif /* __OUTPUT_JSON_RFB_H__ */`