Feature #7095: rdp: keywords additions - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #7095

open

rdp: keywords additions

Added by Peter Manev 5 months ago. Updated 5 months ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Effort:

Difficulty:

Label:

Description

While Suricata generates RDP protocol logs itself , it is often useful to have rdp keywords available so custom signatures can be developed.
Currently we have none.

Interesting use cases can be for keywords , that we already have logging for, can be:

rdp client version
rdp client name
rdp client cookie
rdp cleint build
rdp client keyboard type
rdp x509 serial

The screenshot attached are Kibana visualizations from the regular protocol log (event_type rdp) produced by Suricata

Files

Screenshot from 2024-06-16 17-23-59.png (162 KB) Screenshot from 2024-06-16 17-23-59.png

Peter Manev, 06/16/2024 03:25 PM

Related issues 2 (2 open — 0 closed)

History
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #7095

rdp: keywords additions

Updated by Jason Ish 5 months ago

Updated by Philippe Antoine 5 months ago

Updated by Lukas Sismis 5 months ago

Updated by Lukas Sismis 5 months ago

Updated by Victor Julien 5 months ago

	Related to Suricata - Story #6597: rules: improve rules keyword/output parity	New	Victor Julien				Actions
	Related to Suricata - Optimization #3304: generic way to register buffers for logging and detection	New	OISF Dev				Actions