mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
62 lines
1.4 KiB
ReStructuredText
62 lines
1.4 KiB
ReStructuredText
RFB Keywords
|
|
============
|
|
|
|
The ``rfb.name`` and ``rfb.sectype`` keywords can be used for matching on various properties of
|
|
RFB (Remote Framebuffer, i.e. VNC) handshakes.
|
|
|
|
|
|
rfb.name
|
|
--------
|
|
|
|
Match on the value of the RFB desktop name field.
|
|
|
|
Examples::
|
|
|
|
rfb.name; content:"Alice's desktop";
|
|
rfb.name; pcre:"/.* \(screen [0-9]\)$/";
|
|
|
|
``rfb.name`` is a 'sticky buffer'.
|
|
|
|
``rfb.name`` can be used as ``fast_pattern``.
|
|
|
|
|
|
rfb.secresult
|
|
-------------
|
|
|
|
Match on the value of the RFB security result, e.g. ``ok``, ``fail``, ``toomany`` or ``unknown``.
|
|
|
|
rfb.secresult uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
|
|
|
|
Examples::
|
|
|
|
rfb.secresult: ok;
|
|
rfb.secresult: !0;
|
|
rfb.secresult: unknown;
|
|
|
|
|
|
rfb.sectype
|
|
-----------
|
|
|
|
Match on the value of the RFB security type field, e.g. ``2`` for VNC challenge-response authentication, ``0`` for no authentication, and ``30`` for Apple's custom Remote Desktop authentication.
|
|
|
|
rfb.sectype uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
|
|
|
|
This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
|
|
|
|
* ``>`` (greater than)
|
|
* ``<`` (less than)
|
|
* ``>=`` (greater than or equal)
|
|
* ``<=`` (less than or equal)
|
|
|
|
Examples::
|
|
|
|
rfb.sectype:2;
|
|
rfb.sectype:>=3;
|
|
|
|
|
|
Additional information
|
|
----------------------
|
|
|
|
More information on the protocol can be found here:
|
|
`<https://tools.ietf.org/html/rfc6143>`_
|