[Bro] rdp.log result column

Josh Guild josh.guild at morphick.com
Fri Jul 1 06:58:06 PDT 2016

Sweet, we were thinking the same thing about bytes and connection length.
Glad to know we weren't far off.
Unfortunately, we don't have access to the endpoints right now but we can
reach out to the customer and see.
Full pcaps exist as well but no private key (that I know of).

Thanks for the quick answers!

On Fri, Jul 1, 2016 at 9:52 AM Josh Liburdi <liburdi.joshua at gmail.com>

> Unfortunately there's no way to prove an RDP connection was established
> using Bro. You could possibly infer it from the length of the connection
> and the amount of bytes transferred, but I wouldn't stake your life on
> that. :)
> Your best bet at verifying establishment is to pull authentication records
> from the endpoint in question. You could also decrypt the RDP session if
> you have full packet capture and the private key using this method:
> http://www.contextis.com/resources/blog/rdp-replay-code-release/
> Josh
> Sent from my iPhone
> On Jul 1, 2016, at 9:38 AM, Josh Guild <josh.guild at morphick.com> wrote:
> Yep, that's what it looks like. On the encrypted sessions it just has the
> cookie, result, and security_protocol value.
> Is there a way to see if the connection was actually established and
> successful? (vice just accepting the setup params)
> Just enabled the rdp.log and getting used to reading it. Ha.
> Thanks a bunch for the help!
> On Fri, Jul 1, 2016 at 9:33 AM Josh Liburdi <liburdi.joshua at gmail.com>
> wrote:
>> Success means that the RDP server successfully accepted the RDP client's
>> setup parameters. (Note that it doesn't mean the RDP connection was
>> successful.) Encrypted means that the RDP session setup was already
>> encrypted and the analyzer can't determine the result. IIRC if the result
>> is encrypted, you will have little to no metadata in the log entry-- maybe
>> just a cookie value.
>> Josh
>> On Fri, Jul 1, 2016 at 9:27 AM, Josh Guild <josh.guild at morphick.com>
>> wrote:
>>> Hi all,
>>> I have a quick question on the different entries for the "result" column
>>> in the rdp.log.
>>> What's the difference between an "encrypted" v. "Success RDP" result and
>>> is there a source with explanations of different results? My Google-Fu is
>>> failing :)
>>> Any help would be much obliged, thanks!
>>> Josh
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160701/a749af63/attachment-0001.html 

More information about the Bro mailing list