[Bro] rdp.log result column

Josh Guild josh.guild at morphick.com
Fri Jul 1 06:38:37 PDT 2016

Yep, that's what it looks like. On the encrypted sessions it just has the
cookie, result, and security_protocol value.
Is there a way to see if the connection was actually established and
successful? (vice just accepting the setup params)

Just enabled the rdp.log and getting used to reading it. Ha.

Thanks a bunch for the help!

On Fri, Jul 1, 2016 at 9:33 AM Josh Liburdi <liburdi.joshua at gmail.com>

> Success means that the RDP server successfully accepted the RDP client's
> setup parameters. (Note that it doesn't mean the RDP connection was
> successful.) Encrypted means that the RDP session setup was already
> encrypted and the analyzer can't determine the result. IIRC if the result
> is encrypted, you will have little to no metadata in the log entry-- maybe
> just a cookie value.
> Josh
> On Fri, Jul 1, 2016 at 9:27 AM, Josh Guild <josh.guild at morphick.com>
> wrote:
>> Hi all,
>> I have a quick question on the different entries for the "result" column
>> in the rdp.log.
>> What's the difference between an "encrypted" v. "Success RDP" result and
>> is there a source with explanations of different results? My Google-Fu is
>> failing :)
>> Any help would be much obliged, thanks!
>> Josh
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160701/616338d0/attachment.html 

More information about the Bro mailing list