[Bro] rdp.log result column

Josh Liburdi liburdi.joshua at gmail.com
Fri Jul 1 06:52:19 PDT 2016


Unfortunately there's no way to prove an RDP connection was established using Bro. You could possibly infer it from the length of the connection and the amount of bytes transferred, but I wouldn't stake your life on that. :) 

Your best bet at verifying establishment is to pull authentication records from the endpoint in question. You could also decrypt the RDP session if you have full packet capture and the private key using this method: http://www.contextis.com/resources/blog/rdp-replay-code-release/

Josh

Sent from my iPhone

> On Jul 1, 2016, at 9:38 AM, Josh Guild <josh.guild at morphick.com> wrote:
> 
> Yep, that's what it looks like. On the encrypted sessions it just has the cookie, result, and security_protocol value. 
> Is there a way to see if the connection was actually established and successful? (vice just accepting the setup params)
> 
> Just enabled the rdp.log and getting used to reading it. Ha.
> 
> Thanks a bunch for the help!
> 
>> On Fri, Jul 1, 2016 at 9:33 AM Josh Liburdi <liburdi.joshua at gmail.com> wrote:
>> Success means that the RDP server successfully accepted the RDP client's setup parameters. (Note that it doesn't mean the RDP connection was successful.) Encrypted means that the RDP session setup was already encrypted and the analyzer can't determine the result. IIRC if the result is encrypted, you will have little to no metadata in the log entry-- maybe just a cookie value.
>> 
>> Josh
>> 
>>> On Fri, Jul 1, 2016 at 9:27 AM, Josh Guild <josh.guild at morphick.com> wrote:
>> 
>>> Hi all,
>>> 
>>> I have a quick question on the different entries for the "result" column in the rdp.log.
>>> 
>>> What's the difference between an "encrypted" v. "Success RDP" result and is there a source with explanations of different results? My Google-Fu is failing :)
>>> 
>>> Any help would be much obliged, thanks!
>>> 
>>> Josh
>>> 
>> 
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160701/bb1603d3/attachment.html 


More information about the Bro mailing list