diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index 609ed7200c..418ccbb43e 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -55,6 +55,7 @@
@load base/protocols/pop3
@load base/protocols/radius
@load base/protocols/rdp
+@load base/protocols/rfb
@load base/protocols/sip
@load base/protocols/snmp
@load base/protocols/smtp
diff --git a/scripts/base/protocols/rfb/README b/scripts/base/protocols/rfb/README
new file mode 100644
index 0000000000..afe67958a2
--- /dev/null
+++ b/scripts/base/protocols/rfb/README
@@ -0,0 +1 @@
+Support for Remote FrameBuffer analysis. This includes all VNC servers.
\ No newline at end of file
diff --git a/scripts/base/protocols/rfb/__load__.bro b/scripts/base/protocols/rfb/__load__.bro
new file mode 100644
index 0000000000..9e43682d13
--- /dev/null
+++ b/scripts/base/protocols/rfb/__load__.bro
@@ -0,0 +1,3 @@
+# Generated by binpac_quickstart
+@load ./main
+@load-sigs ./dpd.sig
\ No newline at end of file
diff --git a/scripts/base/protocols/rfb/dpd.sig b/scripts/base/protocols/rfb/dpd.sig
new file mode 100644
index 0000000000..40793ad590
--- /dev/null
+++ b/scripts/base/protocols/rfb/dpd.sig
@@ -0,0 +1,12 @@
+signature dpd_rfb_server {
+ ip-proto == tcp
+ payload /^RFB/
+ requires-reverse-signature dpd_rfb_client
+ enable "rfb"
+}
+
+signature dpd_rfb_client {
+ ip-proto == tcp
+ payload /^RFB/
+ tcp-state originator
+}
\ No newline at end of file
diff --git a/scripts/base/protocols/rfb/main.bro b/scripts/base/protocols/rfb/main.bro
new file mode 100644
index 0000000000..03e39a40f9
--- /dev/null
+++ b/scripts/base/protocols/rfb/main.bro
@@ -0,0 +1,164 @@
+module RFB;
+
+export {
+ redef enum Log::ID += { LOG };
+
+ type Info: record {
+ ## Timestamp for when the event happened.
+ ts: time &log;
+ ## Unique ID for the connection.
+ uid: string &log;
+ ## The connection's 4-tuple of endpoint addresses/ports.
+ id: conn_id &log;
+
+ ## Major version of the client.
+ client_major_version: string &log &optional;
+ ## Minor version of the client.
+ client_minor_version: string &log &optional;
+ ## Major version of the server.
+ server_major_version: string &log &optional;
+ ## Major version of the client.
+ server_minor_version: string &log &optional;
+
+ ## Identifier of authentication method used.
+ authentication_method: string &log &optional;
+ ## Whether or not authentication was succesful.
+ auth: bool &log &optional;
+
+ ## Whether the client has an exclusive or a shared session.
+ share_flag: bool &log &optional;
+ ## Name of the screen that is being shared.
+ desktop_name: string &log &optional;
+ ## Width of the screen that is being shared.
+ width: count &log &optional;
+ ## Height of the screen that is being shared.
+ height: count &log &optional;
+
+ ## Internally used value to determine if this connection
+ ## has already been logged.
+ done: bool &default=F;
+ };
+
+ global log_rfb: event(rec: Info);
+}
+
+function friendly_auth_name(auth: count): string
+ {
+ switch (auth) {
+ case 0:
+ return "Invalid";
+ case 1:
+ return "None";
+ case 2:
+ return "VNC";
+ case 16:
+ return "Tight";
+ case 17:
+ return "Ultra";
+ case 18:
+ return "TLS";
+ case 19:
+ return "VeNCrypt";
+ case 20:
+ return "GTK-VNC SASL";
+ case 21:
+ return "MD5 hash authentication";
+ case 22:
+ return "Colin Dean xvp";
+ case 30:
+ return "Apple Remote Desktop";
+ }
+ return "RealVNC";
+}
+
+redef record connection += {
+ rfb: Info &optional;
+};
+
+event bro_init() &priority=5
+ {
+ Log::create_stream(RFB::LOG, [$columns=Info, $ev=log_rfb, $path="rfb"]);
+ }
+
+function write_log(c:connection)
+ {
+ local state = c$rfb;
+ if ( state$done )
+ {
+ return;
+ }
+
+ Log::write(RFB::LOG, c$rfb);
+ c$rfb$done = T;
+ }
+
+function set_session(c: connection)
+ {
+ if ( ! c?$rfb )
+ {
+ local info: Info;
+ info$ts = network_time();
+ info$uid = c$uid;
+ info$id = c$id;
+
+ c$rfb = info;
+ }
+ }
+
+event rfb_event(c: connection) &priority=5
+ {
+ set_session(c);
+ }
+
+event rfb_client_version(c: connection, major_version: string, minor_version: string) &priority=5
+ {
+ set_session(c);
+ c$rfb$client_major_version = major_version;
+ c$rfb$client_minor_version = minor_version;
+ }
+
+event rfb_server_version(c: connection, major_version: string, minor_version: string) &priority=5
+ {
+ set_session(c);
+ c$rfb$server_major_version = major_version;
+ c$rfb$server_minor_version = minor_version;
+ }
+
+event rfb_authentication_type(c: connection, authtype: count) &priority=5
+ {
+ set_session(c);
+
+ c$rfb$authentication_method = friendly_auth_name(authtype);
+ }
+
+event rfb_server_parameters(c: connection, name: string, width: count, height: count) &priority=5
+ {
+ set_session(c);
+
+ c$rfb$desktop_name = name;
+ c$rfb$width = width;
+ c$rfb$height = height;
+ }
+
+event rfb_server_parameters(c: connection, name: string, width: count, height: count) &priority=-5
+ {
+ write_log(c);
+ }
+
+event rfb_auth_result(c: connection, result: bool) &priority=5
+ {
+ c$rfb$auth = !result;
+ }
+
+event rfb_share_flag(c: connection, flag: bool) &priority=5
+ {
+ c$rfb$share_flag = flag;
+ }
+
+event connection_state_remove(c: connection) &priority=-5
+ {
+ if ( c?$rfb )
+ {
+ write_log(c);
+ }
+ }
diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt
index 467fce83ee..8c7a3f002e 100644
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@@ -30,6 +30,7 @@ add_subdirectory(pia)
add_subdirectory(pop3)
add_subdirectory(radius)
add_subdirectory(rdp)
+add_subdirectory(rfb)
add_subdirectory(rpc)
add_subdirectory(sip)
add_subdirectory(snmp)
diff --git a/src/analyzer/protocol/rfb/CMakeLists.txt b/src/analyzer/protocol/rfb/CMakeLists.txt
new file mode 100644
index 0000000000..28523bfe2d
--- /dev/null
+++ b/src/analyzer/protocol/rfb/CMakeLists.txt
@@ -0,0 +1,9 @@
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro RFB)
+ bro_plugin_cc(RFB.cc Plugin.cc)
+ bro_plugin_bif(events.bif)
+ bro_plugin_pac(rfb.pac rfb-analyzer.pac rfb-protocol.pac)
+bro_plugin_end()
\ No newline at end of file
diff --git a/src/analyzer/protocol/rfb/Plugin.cc b/src/analyzer/protocol/rfb/Plugin.cc
new file mode 100644
index 0000000000..b3bed0f093
--- /dev/null
+++ b/src/analyzer/protocol/rfb/Plugin.cc
@@ -0,0 +1,23 @@
+#include "plugin/Plugin.h"
+
+#include "RFB.h"
+
+namespace plugin {
+namespace Bro_RFB {
+
+class Plugin : public plugin::Plugin {
+public:
+ plugin::Configuration Configure()
+ {
+ AddComponent(new ::analyzer::Component("RFB",
+ ::analyzer::rfb::RFB_Analyzer::InstantiateAnalyzer));
+
+ plugin::Configuration config;
+ config.name = "Bro::RFB";
+ config.description = "Parser for rfb (VNC) analyzer";
+ return config;
+ }
+} plugin;
+
+}
+}
\ No newline at end of file
diff --git a/src/analyzer/protocol/rfb/RFB.cc b/src/analyzer/protocol/rfb/RFB.cc
new file mode 100644
index 0000000000..2669d6ed56
--- /dev/null
+++ b/src/analyzer/protocol/rfb/RFB.cc
@@ -0,0 +1,67 @@
+#include "RFB.h"
+
+#include "analyzer/protocol/tcp/TCP_Reassembler.h"
+
+#include "Reporter.h"
+
+#include "events.bif.h"
+
+using namespace analyzer::rfb;
+
+RFB_Analyzer::RFB_Analyzer(Connection* c)
+
+: tcp::TCP_ApplicationAnalyzer("RFB", c)
+
+ {
+ interp = new binpac::RFB::RFB_Conn(this);
+ had_gap = false;
+ }
+
+RFB_Analyzer::~RFB_Analyzer()
+ {
+ delete interp;
+ }
+
+void RFB_Analyzer::Done()
+ {
+ tcp::TCP_ApplicationAnalyzer::Done();
+
+ interp->FlowEOF(true);
+ interp->FlowEOF(false);
+
+ }
+
+void RFB_Analyzer::EndpointEOF(bool is_orig)
+ {
+ tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+ interp->FlowEOF(is_orig);
+ }
+
+void RFB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+ {
+ tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+ assert(TCP());
+ if ( TCP()->IsPartial() )
+ return;
+
+ if ( had_gap )
+ // If only one side had a content gap, we could still try to
+ // deliver data to the other side if the script layer can handle this.
+ return;
+
+ try
+ {
+ interp->NewData(orig, data, data + len);
+ }
+ catch ( const binpac::Exception& e )
+ {
+ ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+ }
+ }
+
+void RFB_Analyzer::Undelivered(uint64 seq, int len, bool orig)
+ {
+ tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+ had_gap = true;
+ interp->NewGap(orig, len);
+ }
diff --git a/src/analyzer/protocol/rfb/RFB.h b/src/analyzer/protocol/rfb/RFB.h
new file mode 100644
index 0000000000..88a17eea5a
--- /dev/null
+++ b/src/analyzer/protocol/rfb/RFB.h
@@ -0,0 +1,43 @@
+#ifndef ANALYZER_PROTOCOL_RFB_RFB_H
+#define ANALYZER_PROTOCOL_RFB_RFB_H
+
+#include "events.bif.h"
+
+
+#include "analyzer/protocol/tcp/TCP.h"
+
+#include "rfb_pac.h"
+
+namespace analyzer { namespace rfb {
+
+class RFB_Analyzer
+
+: public tcp::TCP_ApplicationAnalyzer {
+
+public:
+ RFB_Analyzer(Connection* conn);
+ virtual ~RFB_Analyzer();
+
+ // Overriden from Analyzer.
+ virtual void Done();
+
+ virtual void DeliverStream(int len, const u_char* data, bool orig);
+ virtual void Undelivered(uint64 seq, int len, bool orig);
+
+ // Overriden from tcp::TCP_ApplicationAnalyzer.
+ virtual void EndpointEOF(bool is_orig);
+
+
+ static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
+ { return new RFB_Analyzer(conn); }
+
+protected:
+ binpac::RFB::RFB_Conn* interp;
+
+ bool had_gap;
+
+};
+
+} } // namespace analyzer::*
+
+#endif
diff --git a/src/analyzer/protocol/rfb/events.bif b/src/analyzer/protocol/rfb/events.bif
new file mode 100644
index 0000000000..4a5bb40121
--- /dev/null
+++ b/src/analyzer/protocol/rfb/events.bif
@@ -0,0 +1,50 @@
+## Generated for RFB event
+##
+## c: The connection record for the underlying transport-layer session/flow.
+event rfb_event%(c: connection%);
+
+## Generated for RFB event authentication mechanism selection
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## authtype: the value of the chosen authentication mechanism
+event rfb_authentication_type%(c: connection, authtype: count%);
+
+## Generated for RFB event authentication result message
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## result: whether or not authentication was succesful
+event rfb_auth_result%(c: connection, result: bool%);
+
+## Generated for RFB event share flag messages
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## flag: whether or not the share flag was set
+event rfb_share_flag%(c: connection, flag: bool%);
+
+## Generated for RFB event client banner message
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## version: of the client's rfb library
+event rfb_client_version%(c: connection, major_version: string, minor_version: string%);
+
+## Generated for RFB event server banner message
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## version: of the server's rfb library
+event rfb_server_version%(c: connection, major_version: string, minor_version: string%);
+
+## Generated for RFB event server parameter message
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## name: name of the shared screen
+##
+## width: width of the shared screen
+##
+## height: height of the shared screen
+event rfb_server_parameters%(c: connection, name: string, width: count, height: count%);
\ No newline at end of file
diff --git a/src/analyzer/protocol/rfb/rfb-analyzer.pac b/src/analyzer/protocol/rfb/rfb-analyzer.pac
new file mode 100644
index 0000000000..b63b9f4085
--- /dev/null
+++ b/src/analyzer/protocol/rfb/rfb-analyzer.pac
@@ -0,0 +1,199 @@
+refine flow RFB_Flow += {
+ function proc_rfb_message(msg: RFB_PDU): bool
+ %{
+ BifEvent::generate_rfb_event(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn());
+ return true;
+ %}
+
+ function proc_rfb_version(client: bool, major: bytestring, minor: bytestring) : bool
+ %{
+ if (client)
+ {
+ BifEvent::generate_rfb_client_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor));
+
+ connection()->bro_analyzer()->ProtocolConfirmation();
+ }
+ else
+ {
+ BifEvent::generate_rfb_server_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor));
+ }
+ return true;
+ %}
+
+ function proc_rfb_share_flag(shared: bool) : bool
+ %{
+ BifEvent::generate_rfb_share_flag(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), shared);
+ return true;
+ %}
+
+ function proc_security_types(msg: RFBSecurityTypes) : bool
+ %{
+ BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.sectype});
+ return true;
+ %}
+
+ function proc_security_types37(msg: RFBAuthTypeSelected) : bool
+ %{
+ BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.type});
+ return true;
+ %}
+
+ function proc_handle_server_params(msg:RFBServerInit) : bool
+ %{
+ BifEvent::generate_rfb_server_parameters(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.name}), ${msg.width}, ${msg.height});
+ return true;
+ %}
+
+ function proc_handle_security_result(result : uint32) : bool
+ %{
+ BifEvent::generate_rfb_auth_result(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result);
+ return true;
+ %}
+};
+
+refine connection RFB_Conn += {
+ %member{
+ enum states {
+ AWAITING_SERVER_BANNER = 0,
+ AWAITING_CLIENT_BANNER = 1,
+ AWAITING_SERVER_AUTH_TYPES = 2,
+ AWAITING_SERVER_CHALLENGE = 3,
+ AWAITING_CLIENT_RESPONSE = 4,
+ AWAITING_SERVER_AUTH_RESULT = 5,
+ AWAITING_CLIENT_SHARE_FLAG = 6,
+ AWAITING_SERVER_PARAMS = 7,
+ AWAITING_CLIENT_AUTH_METHOD = 8,
+ AWAITING_SERVER_ARD_CHALLENGE = 9,
+ AWAITING_CLIENT_ARD_RESPONSE = 10,
+ AWAITING_SERVER_AUTH_TYPES37 = 11,
+ AWAITING_CLIENT_AUTH_TYPE_SELECTED37 = 12,
+ RFB_MESSAGE = 13
+ };
+ %}
+
+ function get_state(client: bool) : int
+ %{
+ return state;
+ %}
+
+ function handle_banners(client: bool, msg: RFBProtocolVersion) : bool
+ %{
+ if ( client )
+ {
+ // Set protocol version on client's version
+ int minor_version = bytestring_to_int(${msg.minor},10);
+ version = minor_version;
+
+ // Apple specifies minor version "889" but talks v37
+ if ( minor_version >= 7 )
+ state = AWAITING_SERVER_AUTH_TYPES37;
+ else
+ state = AWAITING_SERVER_AUTH_TYPES;
+ }
+ else
+ state = AWAITING_CLIENT_BANNER;
+
+ return true;
+ %}
+
+ function handle_ard_challenge() : bool
+ %{
+ state = AWAITING_CLIENT_ARD_RESPONSE;
+ return true;
+ %}
+
+ function handle_ard_response() : bool
+ %{
+ state = AWAITING_SERVER_AUTH_RESULT;
+ return true;
+ %}
+
+ function handle_auth_request() : bool
+ %{
+ state = AWAITING_CLIENT_RESPONSE;
+ return true;
+ %}
+
+ function handle_auth_response() : bool
+ %{
+ state = AWAITING_SERVER_AUTH_RESULT;
+ return true;
+ %}
+
+ function handle_security_result(msg: RFBSecurityResult) : bool
+ %{
+ if ( ${msg.result} == 0 )
+ {
+ state = AWAITING_CLIENT_SHARE_FLAG;
+ }
+ return true;
+ %}
+
+ function handle_client_init(msg: RFBClientInit) : bool
+ %{
+ state = AWAITING_SERVER_PARAMS;
+ return true;
+ %}
+
+ function handle_server_init(msg: RFBServerInit) : bool
+ %{
+ state = RFB_MESSAGE;
+ return true;
+ %}
+
+ function handle_security_types(msg: RFBSecurityTypes): bool
+ %{
+ if ( msg->sectype() == 0 )
+ { // No auth
+ state = AWAITING_CLIENT_SHARE_FLAG;
+ return true;
+ }
+
+ if ( msg->sectype() == 2 )
+ { //VNC
+ state = AWAITING_SERVER_CHALLENGE;
+ }
+ return true;
+ %}
+
+ function handle_security_types37(msg: RFBSecurityTypes37): bool
+ %{
+ if ( ${msg.count} == 0 )
+ { // No auth
+ state = AWAITING_CLIENT_SHARE_FLAG;
+ return true;
+ }
+ state = AWAITING_CLIENT_AUTH_TYPE_SELECTED37;
+ return true;
+ %}
+
+ function handle_auth_type_selected(msg: RFBAuthTypeSelected): bool
+ %{
+ if ( ${msg.type} == 30 )
+ { // Apple Remote Desktop
+ state = AWAITING_SERVER_ARD_CHALLENGE;
+ return true;
+ }
+
+ if ( ${msg.type} == 1 )
+ {
+ if ( version > 7 )
+ state = AWAITING_SERVER_AUTH_RESULT;
+ else
+ state = AWAITING_CLIENT_SHARE_FLAG;
+ }
+ else
+ state = AWAITING_SERVER_CHALLENGE;
+
+ return true;
+ %}
+
+ %member{
+ uint8 state = AWAITING_SERVER_BANNER;
+ int version = 0;
+ %}
+};
+
+refine typeattr RFB_PDU += &let {
+ proc: bool = $context.flow.proc_rfb_message(this);
+};
diff --git a/src/analyzer/protocol/rfb/rfb-protocol.pac b/src/analyzer/protocol/rfb/rfb-protocol.pac
new file mode 100644
index 0000000000..764046e747
--- /dev/null
+++ b/src/analyzer/protocol/rfb/rfb-protocol.pac
@@ -0,0 +1,139 @@
+enum states {
+ AWAITING_SERVER_BANNER = 0,
+ AWAITING_CLIENT_BANNER = 1,
+ AWAITING_SERVER_AUTH_TYPES = 2,
+ AWAITING_SERVER_CHALLENGE = 3,
+ AWAITING_CLIENT_RESPONSE = 4,
+ AWAITING_SERVER_AUTH_RESULT = 5,
+ AWAITING_CLIENT_SHARE_FLAG = 6,
+ AWAITING_SERVER_PARAMS = 7,
+ AWAITING_CLIENT_AUTH_METHOD = 8,
+ AWAITING_SERVER_ARD_CHALLENGE = 9,
+ AWAITING_CLIENT_ARD_RESPONSE = 10,
+ AWAITING_SERVER_AUTH_TYPES37 = 11,
+ AWAITING_CLIENT_AUTH_TYPE_SELECTED37 = 12,
+ RFB_MESSAGE = 13
+ };
+
+type RFBProtocolVersion (client: bool) = record {
+ header: "RFB ";
+ major: bytestring &length=3;
+ dot: ".";
+ minor: bytestring &length=3;
+ pad: uint8;
+} &let {
+ proc: bool = $context.connection.handle_banners(client, this);
+ proc2: bool = $context.flow.proc_rfb_version(client, major, minor);
+}
+
+type RFBSecurityTypes = record {
+ sectype: uint32;
+} &let {
+ proc: bool = $context.connection.handle_security_types(this);
+ proc2: bool = $context.flow.proc_security_types(this);
+};
+
+type RFBSecurityTypes37 = record {
+ count: uint8;
+ types: uint8[count];
+} &let {
+ proc: bool = $context.connection.handle_security_types37(this);
+};
+
+type RFBAuthTypeSelected = record {
+ type: uint8;
+} &let {
+ proc: bool = $context.connection.handle_auth_type_selected(this);
+ proc2: bool = $context.flow.proc_security_types37(this);
+};
+
+type RFBSecurityResult = record {
+ result: uint32;
+} &let {
+ proc: bool = $context.connection.handle_security_result(this);
+ proc2: bool = $context.flow.proc_handle_security_result(result);
+};
+
+type RFBSecurityResultReason = record {
+ len: uint32;
+ reason: bytestring &length=len;
+};
+
+type RFBVNCAuthenticationRequest = record {
+ challenge: bytestring &length=16;
+} &let {
+ proc: bool = $context.connection.handle_auth_request();
+};
+
+type RFBVNCAuthenticationResponse = record {
+ response: bytestring &length= 16;
+} &let {
+ proc: bool = $context.connection.handle_auth_response();
+};
+
+type RFBSecurityARDChallenge = record {
+ challenge: bytestring &restofdata;
+} &let {
+ proc: bool = $context.connection.handle_ard_challenge();
+}
+
+type RFBSecurityARDResponse = record {
+ response: bytestring &restofdata;
+} &let {
+ proc: bool = $context.connection.handle_ard_response();
+}
+
+type RFBClientInit = record {
+ shared_flag: uint8;
+} &let {
+ proc: bool = $context.connection.handle_client_init(this);
+ proc2: bool = $context.flow.proc_rfb_share_flag(shared_flag);
+}
+
+type RFBServerInit = record {
+ width: uint16;
+ height: uint16;
+ pixel_format: bytestring &length= 16;
+ len : uint32;
+ name: bytestring &length = len;
+} &let {
+ proc: bool = $context.connection.handle_server_init(this);
+ proc2: bool = $context.flow.proc_handle_server_params(this);
+};
+
+type RFB_PDU_request = record {
+ request: case state of {
+ AWAITING_CLIENT_BANNER -> version: RFBProtocolVersion(true);
+ AWAITING_CLIENT_RESPONSE -> response: RFBVNCAuthenticationResponse;
+ AWAITING_CLIENT_SHARE_FLAG -> shareflag: RFBClientInit;
+ AWAITING_CLIENT_AUTH_TYPE_SELECTED37 -> authtype: RFBAuthTypeSelected;
+ AWAITING_CLIENT_ARD_RESPONSE -> ard_response: RFBSecurityARDResponse;
+ RFB_MESSAGE -> ignore: bytestring &restofdata &transient;
+ default -> data: bytestring &restofdata &transient;
+ } &requires(state);
+ } &let {
+ state: uint8 = $context.connection.get_state(true);
+};
+
+type RFB_PDU_response = record {
+ request: case rstate of {
+ AWAITING_SERVER_BANNER -> version: RFBProtocolVersion(false);
+ AWAITING_SERVER_AUTH_TYPES -> auth_types: RFBSecurityTypes;
+ AWAITING_SERVER_AUTH_TYPES37 -> auth_types37: RFBSecurityTypes37;
+ AWAITING_SERVER_CHALLENGE -> challenge: RFBVNCAuthenticationRequest;
+ AWAITING_SERVER_AUTH_RESULT -> authresult : RFBSecurityResult;
+ AWAITING_SERVER_ARD_CHALLENGE -> ard_challenge: RFBSecurityARDChallenge;
+ AWAITING_SERVER_PARAMS -> serverinit: RFBServerInit;
+ RFB_MESSAGE -> ignore: bytestring &restofdata &transient;
+ default -> data: bytestring &restofdata &transient;
+ } &requires(rstate);
+ } &let {
+ rstate: uint8 = $context.connection.get_state(false);
+};
+
+type RFB_PDU(is_orig: bool) = record {
+ payload: case is_orig of {
+ true -> request: RFB_PDU_request;
+ false -> response: RFB_PDU_response;
+ };
+} &byteorder = bigendian;
diff --git a/src/analyzer/protocol/rfb/rfb.pac b/src/analyzer/protocol/rfb/rfb.pac
new file mode 100644
index 0000000000..2e88f8e5bb
--- /dev/null
+++ b/src/analyzer/protocol/rfb/rfb.pac
@@ -0,0 +1,30 @@
+# Analyzer for Parser for rfb (VNC)
+# - rfb-protocol.pac: describes the rfb protocol messages
+# - rfb-analyzer.pac: describes the rfb analyzer code
+
+%include binpac.pac
+%include bro.pac
+
+%extern{
+ #include "events.bif.h"
+%}
+
+analyzer RFB withcontext {
+ connection: RFB_Conn;
+ flow: RFB_Flow;
+};
+
+# Our connection consists of two flows, one in each direction.
+connection RFB_Conn(bro_analyzer: BroAnalyzer) {
+ upflow = RFB_Flow(true);
+ downflow = RFB_Flow(false);
+};
+
+%include rfb-protocol.pac
+
+# Now we define the flow:
+flow RFB_Flow(is_orig: bool) {
+ datagram = RFB_PDU(is_orig) withcontext(connection, this);
+};
+
+%include rfb-analyzer.pac
\ No newline at end of file
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 4d1f2037a4..6202ef3b6e 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path loaded_scripts
-#open 2015-08-31-04-50-43
+#open 2016-04-12-20-52-34
#fields name
#types string
scripts/base/init-bare.bro
@@ -92,6 +92,7 @@ scripts/base/init-bare.bro
build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro
build/scripts/base/bif/plugins/Bro_RDP.events.bif.bro
build/scripts/base/bif/plugins/Bro_RDP.types.bif.bro
+ build/scripts/base/bif/plugins/Bro_RFB.events.bif.bro
build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro
build/scripts/base/bif/plugins/Bro_SIP.events.bif.bro
build/scripts/base/bif/plugins/Bro_SNMP.events.bif.bro
@@ -128,4 +129,4 @@ scripts/base/init-bare.bro
build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
scripts/policy/misc/loaded-scripts.bro
scripts/base/utils/paths.bro
-#close 2015-08-31-04-50-43
+#close 2016-04-12-20-52-34
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 85fe19eb96..cede55a98e 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path loaded_scripts
-#open 2016-02-17-20-30-50
+#open 2016-04-12-20-52-45
#fields name
#types string
scripts/base/init-bare.bro
@@ -92,6 +92,7 @@ scripts/base/init-bare.bro
build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro
build/scripts/base/bif/plugins/Bro_RDP.events.bif.bro
build/scripts/base/bif/plugins/Bro_RDP.types.bif.bro
+ build/scripts/base/bif/plugins/Bro_RFB.events.bif.bro
build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro
build/scripts/base/bif/plugins/Bro_SIP.events.bif.bro
build/scripts/base/bif/plugins/Bro_SNMP.events.bif.bro
@@ -270,6 +271,8 @@ scripts/base/init-default.bro
scripts/base/protocols/rdp/__load__.bro
scripts/base/protocols/rdp/consts.bro
scripts/base/protocols/rdp/main.bro
+ scripts/base/protocols/rfb/__load__.bro
+ scripts/base/protocols/rfb/main.bro
scripts/base/protocols/sip/__load__.bro
scripts/base/protocols/sip/main.bro
scripts/base/protocols/snmp/__load__.bro
@@ -297,4 +300,4 @@ scripts/base/init-default.bro
scripts/base/misc/find-checksum-offloading.bro
scripts/base/misc/find-filtered-trace.bro
scripts/policy/misc/loaded-scripts.bro
-#close 2016-02-17-20-30-50
+#close 2016-04-12-20-52-45
diff --git a/testing/btest/Baseline/coverage.find-bro-logs/out b/testing/btest/Baseline/coverage.find-bro-logs/out
index 0b2a9445c1..9619ebb4b9 100644
--- a/testing/btest/Baseline/coverage.find-bro-logs/out
+++ b/testing/btest/Baseline/coverage.find-bro-logs/out
@@ -34,6 +34,7 @@ pe
radius
rdp
reporter
+rfb
signatures
sip
smtp
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 25808a20d8..e9b5c41650 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -174,6 +174,7 @@
0.000000 MetaHookPost CallFunction(Log::__add_filter, , (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=packet_filter, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::__add_filter, , (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=radius, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::__add_filter, , (RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=rdp, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) ->
+0.000000 MetaHookPost CallFunction(Log::__add_filter, , (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=rfb, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=reporter, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::__add_filter, , (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=sip, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::__add_filter, , (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=smtp, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) ->
@@ -213,6 +214,7 @@
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (PacketFilter::LOG, [columns=, ev=, path=packet_filter])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RADIUS::LOG, [columns=, ev=RADIUS::log_radius, path=radius])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RDP::LOG, [columns=, ev=RDP::log_rdp, path=rdp])) ->
+0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RFB::LOG, [columns=, ev=RFB::log_rfb, path=rfb])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Reporter::LOG, [columns=, ev=, path=reporter])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SIP::LOG, [columns=, ev=SIP::log_sip, path=sip])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMTP::LOG, [columns=, ev=SMTP::log_smtp, path=smtp])) ->
@@ -228,7 +230,7 @@
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) ->
-0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1457718658.75999, node=bro, filter=ip or not ip, init=T, success=T])) ->
+0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1460494592.785314, node=bro, filter=ip or not ip, init=T, success=T])) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) ->
@@ -253,6 +255,7 @@
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (PacketFilter::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (RADIUS::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (RDP::LOG)) ->
+0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (RFB::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Reporter::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (SIP::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (SMTP::LOG)) ->
@@ -292,6 +295,7 @@
0.000000 MetaHookPost CallFunction(Log::add_filter, , (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::add_filter, , (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::add_filter, , (RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) ->
+0.000000 MetaHookPost CallFunction(Log::add_filter, , (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::add_filter, , (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::add_filter, , (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::add_filter, , (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) ->
@@ -331,6 +335,7 @@
0.000000 MetaHookPost CallFunction(Log::create_stream, , (PacketFilter::LOG, [columns=, ev=, path=packet_filter])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (RADIUS::LOG, [columns=, ev=RADIUS::log_radius, path=radius])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (RDP::LOG, [columns=, ev=RDP::log_rdp, path=rdp])) ->
+0.000000 MetaHookPost CallFunction(Log::create_stream, , (RFB::LOG, [columns=, ev=RFB::log_rfb, path=rfb])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (Reporter::LOG, [columns=, ev=, path=reporter])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (SIP::LOG, [columns=, ev=SIP::log_sip, path=sip])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (SMTP::LOG, [columns=, ev=SMTP::log_smtp, path=smtp])) ->
@@ -346,7 +351,7 @@
0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) ->
-0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1457718658.75999, node=bro, filter=ip or not ip, init=T, success=T])) ->
+0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1460494592.785314, node=bro, filter=ip or not ip, init=T, success=T])) ->
0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) ->
0.000000 MetaHookPost CallFunction(NetControl::init, , ()) ->
0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) ->
@@ -431,6 +436,7 @@
0.000000 MetaHookPost LoadFile(./Bro_RADIUS.events.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_RDP.events.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_RDP.types.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(./Bro_RFB.events.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_RPC.events.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_RawReader.raw.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_SIP.events.bif.bro) -> -1
@@ -605,6 +611,7 @@
0.000000 MetaHookPost LoadFile(base<...>/rdp) -> -1
0.000000 MetaHookPost LoadFile(base<...>/reporter) -> -1
0.000000 MetaHookPost LoadFile(base<...>/reporter.bif) -> -1
+0.000000 MetaHookPost LoadFile(base<...>/rfb) -> -1
0.000000 MetaHookPost LoadFile(base<...>/signatures) -> -1
0.000000 MetaHookPost LoadFile(base<...>/sip) -> -1
0.000000 MetaHookPost LoadFile(base<...>/site) -> -1
@@ -805,6 +812,7 @@
0.000000 MetaHookPre CallFunction(Log::__add_filter, , (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=packet_filter, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, , (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=radius, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, , (RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=rdp, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]))
+0.000000 MetaHookPre CallFunction(Log::__add_filter, , (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=rfb, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=reporter, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, , (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=sip, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, , (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=smtp, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]))
@@ -844,6 +852,7 @@
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (PacketFilter::LOG, [columns=, ev=, path=packet_filter]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (RADIUS::LOG, [columns=, ev=RADIUS::log_radius, path=radius]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (RDP::LOG, [columns=, ev=RDP::log_rdp, path=rdp]))
+0.000000 MetaHookPre CallFunction(Log::__create_stream, , (RFB::LOG, [columns=, ev=RFB::log_rfb, path=rfb]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Reporter::LOG, [columns=, ev=, path=reporter]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SIP::LOG, [columns=, ev=SIP::log_sip, path=sip]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SMTP::LOG, [columns=, ev=SMTP::log_smtp, path=smtp]))
@@ -859,7 +868,7 @@
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]))
-0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1457718658.75999, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1460494592.785314, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG))
@@ -884,6 +893,7 @@
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (PacketFilter::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (RADIUS::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (RDP::LOG))
+0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (RFB::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Reporter::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (SIP::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (SMTP::LOG))
@@ -923,6 +933,7 @@
0.000000 MetaHookPre CallFunction(Log::add_filter, , (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]))
0.000000 MetaHookPre CallFunction(Log::add_filter, , (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]))
0.000000 MetaHookPre CallFunction(Log::add_filter, , (RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]))
+0.000000 MetaHookPre CallFunction(Log::add_filter, , (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]))
0.000000 MetaHookPre CallFunction(Log::add_filter, , (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]))
0.000000 MetaHookPre CallFunction(Log::add_filter, , (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]))
0.000000 MetaHookPre CallFunction(Log::add_filter, , (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]))
@@ -962,6 +973,7 @@
0.000000 MetaHookPre CallFunction(Log::create_stream, , (PacketFilter::LOG, [columns=, ev=, path=packet_filter]))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (RADIUS::LOG, [columns=, ev=RADIUS::log_radius, path=radius]))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (RDP::LOG, [columns=, ev=RDP::log_rdp, path=rdp]))
+0.000000 MetaHookPre CallFunction(Log::create_stream, , (RFB::LOG, [columns=, ev=RFB::log_rfb, path=rfb]))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (Reporter::LOG, [columns=, ev=, path=reporter]))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (SIP::LOG, [columns=, ev=SIP::log_sip, path=sip]))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (SMTP::LOG, [columns=, ev=SMTP::log_smtp, path=smtp]))
@@ -977,7 +989,7 @@
0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509]))
0.000000 MetaHookPre CallFunction(Log::create_stream,