8.31. RFB Keywords

The rfb.name and rfb.sectype keywords can be used for matching on various properties of RFB (Remote Framebuffer, i.e. VNC) handshakes.

8.31.1. rfb.name

Match on the value of the RFB desktop name field.

Examples:

rfb.name; content:"Alice's desktop";
rfb.name; pcre:"/.* \(screen [0-9]\)$/";

rfb.name is a 'sticky buffer'.

rfb.name can be used as fast_pattern.

8.31.2. rfb.secresult

Match on the value of the RFB security result, e.g. ok, fail, toomany or unknown.

Examples:

rfb.secresult: ok;
rfb.secresult: unknown;

8.31.3. rfb.sectype

Match on the value of the RFB security type field, e.g. 2 for VNC challenge-response authentication, 0 for no authentication, and 30 for Apple's custom Remote Desktop authentication.

rfb.sectype uses an unsigned 32-bit integer.

This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:

> (greater than)
< (less than)
>= (greater than or equal)
<= (less than or equal)

Examples:

rfb.sectype:2;
rfb.sectype:>=3;

8.31.4. Additional information

More information on the protocol can be found here: https://tools.ietf.org/html/rfc6143