[Bro] rdp.log result column

Josh Liburdi liburdi.joshua at gmail.com
Fri Jul 1 07:02:12 PDT 2016 

Happy to help! If you all think of an alternate way to infer the
establishment, I'd be curious to hear it.

Josh

On Fri, Jul 1, 2016 at 9:58 AM, Josh Guild <josh.guild at morphick.com> wrote:

> Sweet, we were thinking the same thing about bytes and connection length.
> Glad to know we weren't far off.
> Unfortunately, we don't have access to the endpoints right now but we can
> reach out to the customer and see.
> Full pcaps exist as well but no private key (that I know of).
>
> Thanks for the quick answers!
>
> On Fri, Jul 1, 2016 at 9:52 AM Josh Liburdi <liburdi.joshua at gmail.com>
> wrote:
>
>> Unfortunately there's no way to prove an RDP connection was established
>> using Bro. You could possibly infer it from the length of the connection
>> and the amount of bytes transferred, but I wouldn't stake your life on
>> that. :)
>>
>> Your best bet at verifying establishment is to pull authentication
>> records from the endpoint in question. You could also decrypt the RDP
>> session if you have full packet capture and the private key using this
>> method: http://www.contextis.com/resources/blog/rdp-replay-code-release/
>>
>> Josh
>>
>> Sent from my iPhone
>>
>> On Jul 1, 2016, at 9:38 AM, Josh Guild <josh.guild at morphick.com> wrote:
>>
>> Yep, that's what it looks like. On the encrypted sessions it just has the
>> cookie, result, and security_protocol value.
>> Is there a way to see if the connection was actually established and
>> successful? (vice just accepting the setup params)
>>
>> Just enabled the rdp.log and getting used to reading it. Ha.
>>
>> Thanks a bunch for the help!
>>
>> On Fri, Jul 1, 2016 at 9:33 AM Josh Liburdi <liburdi.joshua at gmail.com>
>> wrote:
>>
>>> Success means that the RDP server successfully accepted the RDP client's
>>> setup parameters. (Note that it doesn't mean the RDP connection was
>>> successful.) Encrypted means that the RDP session setup was already
>>> encrypted and the analyzer can't determine the result. IIRC if the result
>>> is encrypted, you will have little to no metadata in the log entry-- maybe
>>> just a cookie value.
>>>
>>> Josh
>>>
>>> On Fri, Jul 1, 2016 at 9:27 AM, Josh Guild <josh.guild at morphick.com>
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I have a quick question on the different entries for the "result"
>>>> column in the rdp.log.
>>>>
>>>> What's the difference between an "encrypted" v. "Success RDP" result
>>>> and is there a source with explanations of different results? My Google-Fu
>>>> is failing :)
>>>>
>>>> Any help would be much obliged, thanks!
>>>>
>>>> Josh
>>>>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160701/70979770/attachment.html

More information about the Bro mailing list