1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
RFB Keywords
============
The ``rfb.name`` and ``rfb.sectype`` keywords can be used for matching on various properties of
RFB (Remote Framebuffer, i.e. VNC) handshakes.
rfb.name
--------
Match on the value of the RFB desktop name field.
Examples::
rfb.name; content:"Alice's desktop";
rfb.name; pcre:"/.* \(screen [0-9]\)$/";
``rfb.name`` is a 'sticky buffer'.
``rfb.name`` can be used as ``fast_pattern``.
rfb.secresult
-------------
Match on the value of the RFB security result, e.g. ``ok``, ``fail``, ``toomany`` or ``unknown``.
rfb.secresult uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
Examples::
rfb.secresult: ok;
rfb.secresult: !0;
rfb.secresult: unknown;
rfb.sectype
-----------
Match on the value of the RFB security type field, e.g. ``2`` for VNC challenge-response authentication, ``0`` for no authentication, and ``30`` for Apple's custom Remote Desktop authentication.
rfb.sectype uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
* ``>`` (greater than)
* ``<`` (less than)
* ``>=`` (greater than or equal)
* ``<=`` (less than or equal)
Examples::
rfb.sectype:2;
rfb.sectype:>=3;
Additional information
----------------------
More information on the protocol can be found here:
`<https://tools.ietf.org/html/rfc6143>`_
|
