[Bro] rdp.log result column
josh.guild at morphick.com
Fri Jul 1 06:38:37 PDT 2016
Yep, that's what it looks like. On the encrypted sessions it just has the
cookie, result, and security_protocol value.
Is there a way to see if the connection was actually established and
successful? (vice just accepting the setup params)
Just enabled the rdp.log and getting used to reading it. Ha.
Thanks a bunch for the help!
On Fri, Jul 1, 2016 at 9:33 AM Josh Liburdi <liburdi.joshua at gmail.com>
> Success means that the RDP server successfully accepted the RDP client's
> setup parameters. (Note that it doesn't mean the RDP connection was
> successful.) Encrypted means that the RDP session setup was already
> encrypted and the analyzer can't determine the result. IIRC if the result
> is encrypted, you will have little to no metadata in the log entry-- maybe
> just a cookie value.
> On Fri, Jul 1, 2016 at 9:27 AM, Josh Guild <josh.guild at morphick.com>
>> Hi all,
>> I have a quick question on the different entries for the "result" column
>> in the rdp.log.
>> What's the difference between an "encrypted" v. "Success RDP" result and
>> is there a source with explanations of different results? My Google-Fu is
>> failing :)
>> Any help would be much obliged, thanks!
>> Bro mailing list
>> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro