git.ipfire.org Git - thirdparty/suricata.git/commit

]> git.ipfire.org Git - thirdparty/suricata.git/commit

projects / thirdparty / suricata.git / commit

author	Frank Honza <frank.honza@dcso.de>
	Fri, 7 Feb 2020 12:22:17 +0000 (13:22 +0100)
committer	Victor Julien <victor@inliniac.net>
	Thu, 19 Mar 2020 16:59:27 +0000 (17:59 +0100)
commit	1c8943dedd0042acdd86e825fe4f145bf93d1bec
tree	330688ba84cd5aa24a0ebf2f68e8cb0561baaa00	tree
parent	b4d75b7448e98a4bc202874339db92667315e222	commit \| diff

add RFB parser

This commit adds support for the Remote Framebuffer Protocol (RFB) as
used, for example, by various VNC implementations. It targets the
official versions 3.3, 3.7 and 3.8 of the protocol and provides logging
for the RFB handshake communication for now. Logged events include
endpoint versions, details of the security (i.e. authentication)
exchange as well as metadata about the image transfer parameters.
Detection is enabled using keywords for:

- rfb.name: Session name as sticky buffer
- rfb.sectype: Security type, e.g. VNC-style challenge-response
- rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ...

The latter could be used, for example, to detect brute-force attempts
on open VNC servers, while the name could be used to map unwanted VNC
sessions to the desktop owners or machines.

We also ship example EVE-JSON output and keyword docs as part of the
Sphinx source for Suricata's RTD documentation.

31 files changed:

doc/userguide/output/eve/eve-json-format.rst		diff \| blob \| blame \| history
doc/userguide/rules/index.rst		diff \| blob \| blame \| history
doc/userguide/rules/rfb-keywords.rst	[new file with mode: 0644]	blob
rust/src/lib.rs		diff \| blob \| blame \| history
rust/src/rfb/detect.rs	[new file with mode: 0644]	blob
rust/src/rfb/logger.rs	[new file with mode: 0644]	blob
rust/src/rfb/mod.rs	[new file with mode: 0644]	blob
rust/src/rfb/parser.rs	[new file with mode: 0644]	blob
rust/src/rfb/rfb.rs	[new file with mode: 0644]	blob
src/Makefile.am		diff \| blob \| blame \| history
src/app-layer-detect-proto.c		diff \| blob \| blame \| history
src/app-layer-parser.c		diff \| blob \| blame \| history
src/app-layer-protos.c		diff \| blob \| blame \| history
src/app-layer-protos.h		diff \| blob \| blame \| history
src/app-layer-rfb.c	[new file with mode: 0644]	blob
src/app-layer-rfb.h	[new file with mode: 0644]	blob
src/detect-engine-register.c		diff \| blob \| blame \| history
src/detect-engine-register.h		diff \| blob \| blame \| history
src/detect-rfb-name.c	[new file with mode: 0644]	blob
src/detect-rfb-name.h	[new file with mode: 0644]	blob
src/detect-rfb-secresult.c	[new file with mode: 0644]	blob
src/detect-rfb-secresult.h	[new file with mode: 0644]	blob
src/detect-rfb-sectype.c	[new file with mode: 0644]	blob
src/detect-rfb-sectype.h	[new file with mode: 0644]	blob
src/output-json-alert.c		diff \| blob \| blame \| history
src/output-json-rfb.c	[new file with mode: 0644]	blob
src/output-json-rfb.h	[new file with mode: 0644]	blob
src/output.c		diff \| blob \| blame \| history
src/suricata-common.h		diff \| blob \| blame \| history
src/util-profiling.c		diff \| blob \| blame \| history
suricata.yaml.in		diff \| blob \| blame \| history

Mirror of https://github.com/OISF/suricata.git

RSS Atom