[Bro] rdp.log result column

Josh Guild josh.guild at morphick.com
Fri Jul 1 06:38:37 PDT 2016


Yep, that's what it looks like. On the encrypted sessions it just has the
cookie, result, and security_protocol value.
Is there a way to see if the connection was actually established and
successful? (vice just accepting the setup params)

Just enabled the rdp.log and getting used to reading it. Ha.

Thanks a bunch for the help!

On Fri, Jul 1, 2016 at 9:33 AM Josh Liburdi <liburdi.joshua at gmail.com>
wrote:

> Success means that the RDP server successfully accepted the RDP client's
> setup parameters. (Note that it doesn't mean the RDP connection was
> successful.) Encrypted means that the RDP session setup was already
> encrypted and the analyzer can't determine the result. IIRC if the result
> is encrypted, you will have little to no metadata in the log entry-- maybe
> just a cookie value.
>
> Josh
>
> On Fri, Jul 1, 2016 at 9:27 AM, Josh Guild <josh.guild at morphick.com>
> wrote:
>
>> Hi all,
>>
>> I have a quick question on the different entries for the "result" column
>> in the rdp.log.
>>
>> What's the difference between an "encrypted" v. "Success RDP" result and
>> is there a source with explanations of different results? My Google-Fu is
>> failing :)
>>
>> Any help would be much obliged, thanks!
>>
>> Josh
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160701/616338d0/attachment.html 


More information about the Bro mailing list