[Zeek] RDP protocol details
Neslog
neslog at gmail.com
Wed Jun 5 12:07:21 PDT 2019
Solved: Answer at the bottom.
Yes, that's the data I'm looking for. Unfortunately when I try to load the
event with those details I receive an error.
error in ././trybro.bro, line 11: identifier not defined:
RDP::ClientChannelList
http://try.bro.org/#/trybro/saved/329529
I pulled this event from bro/src/analyzer/protocol/rdp/events.bif.
event rdp_client_network_data%(c: connection, channels:
RDP::ClientChannelList%);
Am I missing something? maybe need to define that in my init-bare?
Digging into it deeper... looks like it was using GitHub.com/bro vs
GitHub.com/zeek. Guess I'll have to officially migrate off Bro to Zeek.
On Wed, Jun 5, 2019 at 2:32 PM Justin Azoff <justin at corelight.com> wrote:
> Does this help?
>
>
> https://github.com/zeek/zeek/blob/1e488d7ebe2c889b20333a4196512e069e34f630/scripts/base/init-bare.zeek#L4279-L4306
>
> channels is a vector of RDP::ClientChannelDef
>
> On Wed, Jun 5, 2019 at 2:15 PM Neslog <neslog at gmail.com> wrote:
>
>> Hi I'm looking at RDP protocol and looking for some details. I'm looking
>> for encryption algorithms
>> and methods supported by the client. I believe it would be in the
>> following event but not sure where I pulled it from.
>>
>> event rdp_client_network_data(c: connection, channels: ClientChannelList)
>>
>> Appreciate any insights.
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
> --
> Justin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/28fee22e/attachment.html
More information about the Zeek
mailing list