8.30. RFB Keywords
The rfb.name
and rfb.sectype
keywords can be used for matching on various properties of
RFB (Remote Framebuffer, i.e. VNC) handshakes.
8.30.1. rfb.name
Match on the value of the RFB desktop name field.
Examples:
rfb.name; content:"Alice's desktop";
rfb.name; pcre:"/.* \(screen [0-9]\)$/";
rfb.name
is a 'sticky buffer'.
rfb.name
can be used as fast_pattern
.
8.30.2. rfb.secresult
Match on the value of the RFB security result, e.g. ok
, fail
, toomany
or unknown
.
rfb.secresult uses an unsigned 32-bit integer.
Examples:
rfb.secresult: ok;
rfb.secresult: !0;
rfb.secresult: unknown;
8.30.3. rfb.sectype
Match on the value of the RFB security type field, e.g. 2
for VNC challenge-response authentication, 0
for no authentication, and 30
for Apple's custom Remote Desktop authentication.
rfb.sectype uses an unsigned 32-bit integer.
This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
>
(greater than)<
(less than)>=
(greater than or equal)<=
(less than or equal)
Examples:
rfb.sectype:2;
rfb.sectype:>=3;
8.30.4. Additional information
More information on the protocol can be found here: https://tools.ietf.org/html/rfc6143