summaryrefslogtreecommitdiffstats
path: root/doc/userguide/rules/rfb-keywords.rst
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 17:39:49 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 17:39:49 +0000
commita0aa2307322cd47bbf416810ac0292925e03be87 (patch)
tree37076262a026c4b48c8a0e84f44ff9187556ca35 /doc/userguide/rules/rfb-keywords.rst
parentInitial commit. (diff)
downloadsuricata-a0aa2307322cd47bbf416810ac0292925e03be87.tar.xz
suricata-a0aa2307322cd47bbf416810ac0292925e03be87.zip
Adding upstream version 1:7.0.3.upstream/1%7.0.3
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/userguide/rules/rfb-keywords.rst')
-rw-r--r--doc/userguide/rules/rfb-keywords.rst56
1 files changed, 56 insertions, 0 deletions
diff --git a/doc/userguide/rules/rfb-keywords.rst b/doc/userguide/rules/rfb-keywords.rst
new file mode 100644
index 0000000..628b3d8
--- /dev/null
+++ b/doc/userguide/rules/rfb-keywords.rst
@@ -0,0 +1,56 @@
+RFB Keywords
+============
+
+The ``rfb.name`` and ``rfb.sectype`` keywords can be used for matching on various properties of
+RFB (Remote Framebuffer, i.e. VNC) handshakes.
+
+
+rfb.name
+--------
+
+Match on the value of the RFB desktop name field.
+
+Examples::
+
+ rfb.name; content:"Alice's desktop";
+ rfb.name; pcre:"/.* \(screen [0-9]\)$/";
+
+``rfb.name`` is a 'sticky buffer'.
+
+``rfb.name`` can be used as ``fast_pattern``.
+
+
+rfb.secresult
+-------------
+
+Match on the value of the RFB security result, e.g. ``ok``, ``fail``, ``toomany`` or ``unknown``.
+
+Examples::
+
+ rfb.secresult: ok;
+ rfb.secresult: unknown;
+
+
+rfb.sectype
+-----------
+
+Match on the value of the RFB security type field, e.g. ``2`` for VNC challenge-response authentication, ``0`` for no authentication, and ``30`` for Apple's custom Remote Desktop authentication.
+
+This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
+
+* ``>`` (greater than)
+* ``<`` (less than)
+* ``>=`` (greater than or equal)
+* ``<=`` (less than or equal)
+
+Examples::
+
+ rfb.sectype:2;
+ rfb.sectype:>=3;
+
+
+Additional information
+----------------------
+
+More information on the protocol can be found here:
+`<https://tools.ietf.org/html/rfc6143>`_