6.27. RFB Keywords¶
rfb.sectype keywords can be used for matching on various properties of
RFB (Remote Framebuffer, i.e. VNC) handshakes.
Match on the value of the RFB desktop name field.
rfb.name; content:"Alice's desktop"; rfb.name; pcre:"/.* \(screen [0-9]\)$/";
rfb.name is a ‘sticky buffer’.
rfb.name can be used as
Match on the value of the RFB security result, e.g.
rfb.secresult: ok; rfb.secresult: unknown;
Match on the value of the RFB security type field, e.g.
2 for VNC challenge-response authentication,
0 for no authentication, and
30 for Apple’s custom Remote Desktop authentication.
This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
>=(greater than or equal)
<=(less than or equal)