diff --git a/contrib/parsers/bro_rfb b/contrib/parsers/bro_rfb
new file mode 100644
index 0000000..f230b8e
--- /dev/null
+++ b/contrib/parsers/bro_rfb
@@ -0,0 +1,43 @@
+
+ bro_rfb
+
+
+
+ @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING::|@@ESTRING::|@@ESTRING:s5:|@@ESTRING:i4:|@@ESTRING:i5:@
+
+
+
+ 1484079685.745596|Cjoynh4xFlb9GzUNv9|192.168.2.115|52353|192.168.2.16|5900|003|889|003|889|Apple Remote Desktop|T|T|\x00\x00\x00\x00\x00\x02\xbf\xfe\xe7\x03\xe0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00MacMini SSD|1920|1080
+
+
+
+ 192.168.2.115
+
+ 52353
+
+ 192.168.2.16
+
+ 5900
+
+ 003
+
+ 889
+
+ 003
+
+ 889
+
+ Apple Remote Desktop
+
+
+
+ \x00\x00\x00\x00\x00\x02\xbf\xfe\xe7\x03\xe0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00MacMini SSD
+
+ 1920
+
+ 1080
+
+
+
+
+
diff --git a/contrib/securityonion-syslog-ng.conf b/contrib/securityonion-syslog-ng.conf
index 6f88498..496ca67 100644
--- a/contrib/securityonion-syslog-ng.conf
+++ b/contrib/securityonion-syslog-ng.conf
@@ -59,6 +59,7 @@ source s_bro_pe { file("/nsm/bro/logs/current/pe.log" flags(no-parse) program_ov
source s_bro_sip { file("/nsm/bro/logs/current/sip.log" flags(no-parse) program_override("bro_sip")); };
source s_bro_modbus { file("/nsm/bro/logs/current/modbus.log" flags(no-parse) program_override("bro_modbus")); };
source s_bro_dnp3 { file("/nsm/bro/logs/current/dnp3.log" flags(no-parse) program_override("bro_dnp3")); };
+source s_bro_rfb { file("/nsm/bro/logs/current/rfb.log" flags(no-parse) program_override("bro_rfb")); };
destination d_elsa { program("sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh" template(t_db_parsed)); };
@@ -90,6 +91,7 @@ log {
source(s_bro_sip);
source(s_bro_modbus);
source(s_bro_dnp3);
+ source(s_bro_rfb);
source(s_ossec);
source(s_network);
source(s_syslog);
diff --git a/contrib/securityonion_parsers_sql.sh b/contrib/securityonion_parsers_sql.sh
index 4f934eb..a8fd39c 100644
--- a/contrib/securityonion_parsers_sql.sh
+++ b/contrib/securityonion_parsers_sql.sh
@@ -307,3 +307,8 @@ mysql -uroot < $SQL || echo "Error importing $SQL."
# Additions for Cisco ASA Botnet
SQL="$SQL_DIR/asa_botnet.sql"
mysql -uroot < $SQL || echo "Error importing $SQL."
+
+# Additions for BRO_RFB class & associated fields
+SQL="$SQL_DIR/bro_rfb.sql"
+mysql -uroot < $SQL || echo "Error importing $SQL."
+
diff --git a/contrib/sql/bro_rfb.sql b/contrib/sql/bro_rfb.sql
new file mode 100644
index 0000000..e48bc73
--- /dev/null
+++ b/contrib/sql/bro_rfb.sql
@@ -0,0 +1,32 @@
+use syslog;
+
+/* Create bro_rfb class */
+INSERT IGNORE INTO classes (id, class) VALUES (26020, "BRO_RFB");
+
+/* add new integers that don't already exist in fields table */
+INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("width","int", "QSTRING");
+INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("height","int", "QSTRING");
+
+/* add new strings that don't already exist in fields table */
+INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("client_major_version","string", "QSTRING");
+INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("client_minor_version","string", "QSTRING");
+INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("server_major_version","string", "QSTRING");
+INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("server_minor_version","string", "QSTRING");
+INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("authentication_method","string", "QSTRING");
+INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("desktop_name","string", "QSTRING");
+
+/* integers i0 through i5 are field order 5 through 10 */
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="srcip"), 5);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="srcport"), 6);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="dstip"), 7);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="dstport"), 8);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="width"), 9);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="height"), 10);
+
+/* strings s0 through s5 are field order 11 through 16 */
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="client_major_version"), 11);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="client_minor_version"), 12);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="server_major_version"), 13);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="server_minor_version"), 14);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="authentication_method"), 15);
+INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="desktop_name"), 16);
diff --git a/debian/changelog b/debian/changelog
index 30767ad..19ccb76 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+securityonion-elsa-extras (20151011-1ubuntu1securityonion48) trusty; urgency=medium
+
+ * Issue 1036: securityonion-elsa-extras: add pattern for Bro rfb.log
+
+ -- Doug Burks Tue, 10 Jan 2017 16:26:11 -0500
+
securityonion-elsa-extras (20151011-1ubuntu1securityonion47) trusty; urgency=medium
* fix bro_ftp pattern
diff --git a/debian/install b/debian/install
index a93f4d7..001bce3 100644
--- a/debian/install
+++ b/debian/install
@@ -26,6 +26,7 @@ contrib/parsers/bro_notice etc/elsa/patterns.d/securityonion
contrib/parsers/bro_pe etc/elsa/patterns.d/securityonion
contrib/parsers/bro_radius etc/elsa/patterns.d/securityonion
contrib/parsers/bro_rdp etc/elsa/patterns.d/securityonion
+contrib/parsers/bro_rfb etc/elsa/patterns.d/securityonion
contrib/parsers/bro_sip etc/elsa/patterns.d/securityonion
contrib/parsers/bro_smtp etc/elsa/patterns.d/securityonion
contrib/parsers/bro_snmp etc/elsa/patterns.d/securityonion
diff --git a/debian/patches/Issue-1036:-securityonion-elsa-extras:-add-pattern-for-Bro-rfb.log b/debian/patches/Issue-1036:-securityonion-elsa-extras:-add-pattern-for-Bro-rfb.log
new file mode 100644
index 0000000..bf3753a
--- /dev/null
+++ b/debian/patches/Issue-1036:-securityonion-elsa-extras:-add-pattern-for-Bro-rfb.log
@@ -0,0 +1,135 @@
+Description:
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ securityonion-elsa-extras (20151011-1ubuntu1securityonion48) trusty; urgency=medium
+ .
+ * Issue 1036: securityonion-elsa-extras: add pattern for Bro rfb.log
+Author: Doug Burks
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: ,
+Bug:
+Bug-Debian: http://bugs.debian.org/
+Bug-Ubuntu: https://launchpad.net/bugs/
+Forwarded:
+Reviewed-By:
+Last-Update:
+
+--- /dev/null
++++ securityonion-elsa-extras-20151011/contrib/parsers/bro_rfb
+@@ -0,0 +1,43 @@
++
++ bro_rfb
++
++
++
++ @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING::|@@ESTRING::|@@ESTRING:s5:|@@ESTRING:i4:|@@ESTRING:i5:@
++
++
++
++ 1484079685.745596|Cjoynh4xFlb9GzUNv9|192.168.2.115|52353|192.168.2.16|5900|003|889|003|889|Apple Remote Desktop|T|T|\x00\x00\x00\x00\x00\x02\xbf\xfe\xe7\x03\xe0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00MacMini SSD|1920|1080
++
++
++
++ 192.168.2.115
++
++ 52353
++
++ 192.168.2.16
++
++ 5900
++
++ 003
++
++ 889
++
++ 003
++
++ 889
++
++ Apple Remote Desktop
++
++
++
++ \x00\x00\x00\x00\x00\x02\xbf\xfe\xe7\x03\xe0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00MacMini SSD
++
++ 1920
++
++ 1080
++
++
++
++
++
+--- securityonion-elsa-extras-20151011.orig/contrib/securityonion-syslog-ng.conf
++++ securityonion-elsa-extras-20151011/contrib/securityonion-syslog-ng.conf
+@@ -59,6 +59,7 @@ source s_bro_pe { file("/nsm/bro/logs/cu
+ source s_bro_sip { file("/nsm/bro/logs/current/sip.log" flags(no-parse) program_override("bro_sip")); };
+ source s_bro_modbus { file("/nsm/bro/logs/current/modbus.log" flags(no-parse) program_override("bro_modbus")); };
+ source s_bro_dnp3 { file("/nsm/bro/logs/current/dnp3.log" flags(no-parse) program_override("bro_dnp3")); };
++source s_bro_rfb { file("/nsm/bro/logs/current/rfb.log" flags(no-parse) program_override("bro_rfb")); };
+
+ destination d_elsa { program("sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh" template(t_db_parsed)); };
+
+@@ -90,6 +91,7 @@ log {
+ source(s_bro_sip);
+ source(s_bro_modbus);
+ source(s_bro_dnp3);
++ source(s_bro_rfb);
+ source(s_ossec);
+ source(s_network);
+ source(s_syslog);
+--- securityonion-elsa-extras-20151011.orig/contrib/securityonion_parsers_sql.sh
++++ securityonion-elsa-extras-20151011/contrib/securityonion_parsers_sql.sh
+@@ -307,3 +307,8 @@ mysql -uroot < $SQL || echo "Error impor
+ # Additions for Cisco ASA Botnet
+ SQL="$SQL_DIR/asa_botnet.sql"
+ mysql -uroot < $SQL || echo "Error importing $SQL."
++
++# Additions for BRO_RFB class & associated fields
++SQL="$SQL_DIR/bro_rfb.sql"
++mysql -uroot < $SQL || echo "Error importing $SQL."
++
+--- /dev/null
++++ securityonion-elsa-extras-20151011/contrib/sql/bro_rfb.sql
+@@ -0,0 +1,32 @@
++use syslog;
++
++/* Create bro_rfb class */
++INSERT IGNORE INTO classes (id, class) VALUES (26020, "BRO_RFB");
++
++/* add new integers that don't already exist in fields table */
++INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("width","int", "QSTRING");
++INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("height","int", "QSTRING");
++
++/* add new strings that don't already exist in fields table */
++INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("client_major_version","string", "QSTRING");
++INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("client_minor_version","string", "QSTRING");
++INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("server_major_version","string", "QSTRING");
++INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("server_minor_version","string", "QSTRING");
++INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("authentication_method","string", "QSTRING");
++INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("desktop_name","string", "QSTRING");
++
++/* integers i0 through i5 are field order 5 through 10 */
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="srcip"), 5);
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="srcport"), 6);
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="dstip"), 7);
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="dstport"), 8);
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="width"), 9);
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="height"), 10);
++
++/* strings s0 through s5 are field order 11 through 16 */
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="client_major_version"), 11);
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="client_minor_version"), 12);
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="server_major_version"), 13);
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="server_minor_version"), 14);
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="authentication_method"), 15);
++INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="BRO_RFB"), (SELECT id FROM fields WHERE field="desktop_name"), 16);
diff --git a/debian/patches/series b/debian/patches/series
index d88d4d8..1680f50 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -32,3 +32,4 @@ update-bro_intel-pattern-for-Bro-2.5
update-bro_smtp-pattern-for-Bro-2.5
update-bro_ssh-pattern-for-Bro-2.5
fix-bro_ftp-pattern
+Issue-1036:-securityonion-elsa-extras:-add-pattern-for-Bro-rfb.log
diff --git a/debian/postinst b/debian/postinst
index d211a38..c88bf0d 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -892,6 +892,45 @@ case "$1" in
touch $FILE
fi
+ # 2017-01-10 Merge pattern for Bro rfb.log
+ UPDATE="2017-01-10"
+ FILE="/nsm/elsa/$UPDATE"
+ if [ ! -f $FILE ]; then
+ if grep -i "ELSA=yes" /etc/nsm/securityonion.conf >/dev/null 2>&1; then
+ echo "* ELSA is enabled on this box."
+ # Only update database if Setup has already been run
+ if [ -e /var/log/nsm/sosetup.log ]; then
+ echo "* Found sosetup.log."
+ echo "* Did NOT find $FILE, so applying $UPDATE database schema update."
+
+ # Store all SQL schema updates as files in $SQL_DIR
+ SQL_DIR="/opt/elsa/contrib/securityonion/contrib/sql"
+
+ echo "* Adding fields for Bro rfb.log."
+ SQL="$SQL_DIR/bro_rfb.sql"
+ mysql --defaults-file=/etc/mysql/debian.cnf < $SQL || echo "Error importing $SQL."
+
+ # backup syslog-ng.conf with today's date as file extension
+ DATE=`date '+%Y%m%d'`
+ SYSLOG_CONF="/etc/syslog-ng/syslog-ng.conf"
+ SYSLOG_CONFBAK="$SYSLOG_CONF.$DATE"
+ if [ -f $SYSLOG_CONF ]; then
+ echo "* Backing up $SYSLOG_CONF to $SYSLOG_CONFBAK."
+ cp $SYSLOG_CONF $SYSLOG_CONFBAK || echo "Error backing up $SYSLOG_CONF to $SYSLOG_CONFBAK."
+
+ if ! grep 'source s_bro_rfb { file("/nsm/bro/logs/current/rfb.log" flags(no-parse) program_override("bro_rfb")); };' $SYSLOG_CONF >> /dev/null; then
+ echo "* Updating $SYSLOG_CONF to monitor Bro rfb.log."
+ sed -i '/^source s_bro_sip/a source s_bro_rfb { file("/nsm/bro/logs/current/rfb.log" flags(no-parse) program_override("bro_rfb")); };' $SYSLOG_CONF || echo "Error adding s_bro_rfb to $SYSLOG_CONF."
+ sed -i '/source(s_bro_ssh);/a \\tsource(s_bro_rfb);' $SYSLOG_CONF || echo "Error adding s_bro_rfb to $SYSLOG_CONF."
+ fi
+ fi
+
+ fi
+ fi
+ # Now that we've applied the update, record that we've applied it
+ touch $FILE
+ fi
+
# Always check to see if ELSA is enabled and, if so, update patterns
if grep -i "ELSA=yes" /etc/nsm/securityonion.conf >/dev/null 2>&1; then
echo "* ELSA is enabled on this box."