[Bro] rdp.log result column

Josh Guild josh.guild at morphick.com
Fri Jul 1 07:15:52 PDT 2016 

Will do!

On Fri, Jul 1, 2016 at 10:02 AM Josh Liburdi <liburdi.joshua at gmail.com>
wrote:

> Happy to help! If you all think of an alternate way to infer the
> establishment, I'd be curious to hear it.
>
> Josh
>
> On Fri, Jul 1, 2016 at 9:58 AM, Josh Guild <josh.guild at morphick.com>
> wrote:
>
>> Sweet, we were thinking the same thing about bytes and connection length.
>> Glad to know we weren't far off.
>> Unfortunately, we don't have access to the endpoints right now but we can
>> reach out to the customer and see.
>> Full pcaps exist as well but no private key (that I know of).
>>
>> Thanks for the quick answers!
>>
>> On Fri, Jul 1, 2016 at 9:52 AM Josh Liburdi <liburdi.joshua at gmail.com>
>> wrote:
>>
>>> Unfortunately there's no way to prove an RDP connection was established
>>> using Bro. You could possibly infer it from the length of the connection
>>> and the amount of bytes transferred, but I wouldn't stake your life on
>>> that. :)
>>>
>>> Your best bet at verifying establishment is to pull authentication
>>> records from the endpoint in question. You could also decrypt the RDP
>>> session if you have full packet capture and the private key using this
>>> method: http://www.contextis.com/resources/blog/rdp-replay-code-release/
>>>
>>> Josh
>>>
>>> Sent from my iPhone
>>>
>>> On Jul 1, 2016, at 9:38 AM, Josh Guild <josh.guild at morphick.com> wrote:
>>>
>>> Yep, that's what it looks like. On the encrypted sessions it just has
>>> the cookie, result, and security_protocol value.
>>> Is there a way to see if the connection was actually established and
>>> successful? (vice just accepting the setup params)
>>>
>>> Just enabled the rdp.log and getting used to reading it. Ha.
>>>
>>> Thanks a bunch for the help!
>>>
>>> On Fri, Jul 1, 2016 at 9:33 AM Josh Liburdi <liburdi.joshua at gmail.com>
>>> wrote:
>>>
>>>> Success means that the RDP server successfully accepted the RDP
>>>> client's setup parameters. (Note that it doesn't mean the RDP connection
>>>> was successful.) Encrypted means that the RDP session setup was already
>>>> encrypted and the analyzer can't determine the result. IIRC if the result
>>>> is encrypted, you will have little to no metadata in the log entry-- maybe
>>>> just a cookie value.
>>>>
>>>> Josh
>>>>
>>>> On Fri, Jul 1, 2016 at 9:27 AM, Josh Guild <josh.guild at morphick.com>
>>>> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I have a quick question on the different entries for the "result"
>>>>> column in the rdp.log.
>>>>>
>>>>> What's the difference between an "encrypted" v. "Success RDP" result
>>>>> and is there a source with explanations of different results? My Google-Fu
>>>>> is failing :)
>>>>>
>>>>> Any help would be much obliged, thanks!
>>>>>
>>>>> Josh
>>>>>
>>>>> _______________________________________________
>>>>> Bro mailing list
>>>>> bro at bro-ids.org
>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>>
>>>>
>>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160701/fc06dc94/attachment.html

More information about the Bro mailing list