Project

General

Profile

Actions
Copy link

Feature #7095

open

rdp: keywords additions

Added by Peter Manev 3 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

While Suricata generates RDP protocol logs itself , it is often useful to have rdp keywords available so custom signatures can be developed.
Currently we have none.

Interesting use cases can be for keywords , that we already have logging for, can be:
  • rdp client version
  • rdp client name
  • rdp client cookie
  • rdp cleint build
  • rdp client keyboard type
  • rdp x509 serial

The screenshot attached are Kibana visualizations from the regular protocol log (event_type rdp) produced by Suricata

Files

Screenshot from 2024-06-16 17-23-59.png (162 KB) Screenshot from 2024-06-16 17-23-59.png Peter Manev, 06/16/2024 03:25 PM

Related issues 2 (2 open0 closed)

Related to Suricata - Story #6597: rules: impove rules keyword/output parityNewVictor JulienActions
Related to Suricata - Optimization #3304: generic way to register buffers for logging and detectionNewOISF DevActions
Actions
Copy link
 #1

Updated by Jason Ish 3 months ago

  • Related to Story #6597: rules: impove rules keyword/output parity added
Actions
Copy link
 #2

Updated by Philippe Antoine 3 months ago

  • Related to Optimization #3304: generic way to register buffers for logging and detection added
Actions
Copy link
 #3

Updated by Lukas Sismis 3 months ago

Actions
Copy link
 #4

Updated by Lukas Sismis 3 months ago

Actions
Copy link
 #5

Updated by Victor Julien 3 months ago

  • Subject changed from rdp keywords additions to rdp: keywords additions
Actions
Copy link

Also available in: Atom PDF