[Bro] rdp.log result column

Josh Liburdi liburdi.joshua at gmail.com
Fri Jul 1 07:02:12 PDT 2016

Happy to help! If you all think of an alternate way to infer the
establishment, I'd be curious to hear it.


On Fri, Jul 1, 2016 at 9:58 AM, Josh Guild <josh.guild at morphick.com> wrote:

> Sweet, we were thinking the same thing about bytes and connection length.
> Glad to know we weren't far off.
> Unfortunately, we don't have access to the endpoints right now but we can
> reach out to the customer and see.
> Full pcaps exist as well but no private key (that I know of).
> Thanks for the quick answers!
> On Fri, Jul 1, 2016 at 9:52 AM Josh Liburdi <liburdi.joshua at gmail.com>
> wrote:
>> Unfortunately there's no way to prove an RDP connection was established
>> using Bro. You could possibly infer it from the length of the connection
>> and the amount of bytes transferred, but I wouldn't stake your life on
>> that. :)
>> Your best bet at verifying establishment is to pull authentication
>> records from the endpoint in question. You could also decrypt the RDP
>> session if you have full packet capture and the private key using this
>> method: http://www.contextis.com/resources/blog/rdp-replay-code-release/
>> Josh
>> Sent from my iPhone
>> On Jul 1, 2016, at 9:38 AM, Josh Guild <josh.guild at morphick.com> wrote:
>> Yep, that's what it looks like. On the encrypted sessions it just has the
>> cookie, result, and security_protocol value.
>> Is there a way to see if the connection was actually established and
>> successful? (vice just accepting the setup params)
>> Just enabled the rdp.log and getting used to reading it. Ha.
>> Thanks a bunch for the help!
>> On Fri, Jul 1, 2016 at 9:33 AM Josh Liburdi <liburdi.joshua at gmail.com>
>> wrote:
>>> Success means that the RDP server successfully accepted the RDP client's
>>> setup parameters. (Note that it doesn't mean the RDP connection was
>>> successful.) Encrypted means that the RDP session setup was already
>>> encrypted and the analyzer can't determine the result. IIRC if the result
>>> is encrypted, you will have little to no metadata in the log entry-- maybe
>>> just a cookie value.
>>> Josh
>>> On Fri, Jul 1, 2016 at 9:27 AM, Josh Guild <josh.guild at morphick.com>
>>> wrote:
>>>> Hi all,
>>>> I have a quick question on the different entries for the "result"
>>>> column in the rdp.log.
>>>> What's the difference between an "encrypted" v. "Success RDP" result
>>>> and is there a source with explanations of different results? My Google-Fu
>>>> is failing :)
>>>> Any help would be much obliged, thanks!
>>>> Josh
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160701/70979770/attachment.html 

More information about the Bro mailing list