[Zeek] RDP protocol details
Justin Azoff
justin at corelight.com
Wed Jun 5 12:13:57 PDT 2019
not so much bro -> zeek but that it was just added 8 days ago:
https://github.com/zeek/zeek/pull/384
try.{bro,zeek}.org will work once I build a new master container... I'll
try to get to that soon if not today.
On Wed, Jun 5, 2019 at 3:07 PM Neslog <neslog at gmail.com> wrote:
> Solved: Answer at the bottom.
>
> Yes, that's the data I'm looking for. Unfortunately when I try to load
> the event with those details I receive an error.
>
> error in ././trybro.bro, line 11: identifier not defined:
> RDP::ClientChannelList
> http://try.bro.org/#/trybro/saved/329529
>
> I pulled this event from bro/src/analyzer/protocol/rdp/events.bif.
> event rdp_client_network_data%(c: connection, channels:
> RDP::ClientChannelList%);
>
> Am I missing something? maybe need to define that in my init-bare?
>
> Digging into it deeper... looks like it was using GitHub.com/bro vs
> GitHub.com/zeek. Guess I'll have to officially migrate off Bro to Zeek.
>
> On Wed, Jun 5, 2019 at 2:32 PM Justin Azoff <justin at corelight.com> wrote:
>
>> Does this help?
>>
>>
>> https://github.com/zeek/zeek/blob/1e488d7ebe2c889b20333a4196512e069e34f630/scripts/base/init-bare.zeek#L4279-L4306
>>
>> channels is a vector of RDP::ClientChannelDef
>>
>> On Wed, Jun 5, 2019 at 2:15 PM Neslog <neslog at gmail.com> wrote:
>>
>>> Hi I'm looking at RDP protocol and looking for some details. I'm
>>> looking for encryption algorithms
>>> and methods supported by the client. I believe it would be in the
>>> following event but not sure where I pulled it from.
>>>
>>> event rdp_client_network_data(c: connection, channels: ClientChannelList)
>>>
>>> Appreciate any insights.
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>>
>>
>> --
>> Justin
>>
>
--
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/3809f960/attachment.html
More information about the Zeek
mailing list