[Zeek] RDP protocol details

Neslog neslog at gmail.com
Wed Jun 5 12:34:41 PDT 2019 

lol, too funny.  I look forward to it and thanks.

That said I'm looking for where the client sends it's supported encryption
algos and methods.  I'm still learning the protocol, doesn't look like Bro
is parsing out the encryption methods or encoding methods.  Actually see
the Client security data commented out in rep-protocol.pac.

                #0xc002  -> client_security:   Client_Security_Data;

Looks like there's still more work to be done with parsing out the data?




On Wed, Jun 5, 2019 at 3:14 PM Justin Azoff <justin at corelight.com> wrote:

> not so much bro -> zeek but that it was just added 8 days ago:
>
> https://github.com/zeek/zeek/pull/384
>
> try.{bro,zeek}.org will work once I build a new master container... I'll
> try to get to that soon if not today.
>
> On Wed, Jun 5, 2019 at 3:07 PM Neslog <neslog at gmail.com> wrote:
>
>> Solved: Answer at the bottom.
>>
>> Yes, that's the data I'm looking for.  Unfortunately when I try to load
>> the event with those details I receive an error.
>>
>> error in ././trybro.bro, line 11: identifier not defined:
>> RDP::ClientChannelList
>> http://try.bro.org/#/trybro/saved/329529
>>
>> I pulled this event from bro/src/analyzer/protocol/rdp/events.bif.
>> event rdp_client_network_data%(c: connection, channels:
>> RDP::ClientChannelList%);
>>
>> Am I missing something?  maybe need to define that in my init-bare?
>>
>> Digging into it deeper... looks like it was using GitHub.com/bro vs
>> GitHub.com/zeek.  Guess I'll have to officially migrate off Bro to Zeek.
>>
>> On Wed, Jun 5, 2019 at 2:32 PM Justin Azoff <justin at corelight.com> wrote:
>>
>>> Does this help?
>>>
>>>
>>> https://github.com/zeek/zeek/blob/1e488d7ebe2c889b20333a4196512e069e34f630/scripts/base/init-bare.zeek#L4279-L4306
>>>
>>> channels is a vector of RDP::ClientChannelDef
>>>
>>> On Wed, Jun 5, 2019 at 2:15 PM Neslog <neslog at gmail.com> wrote:
>>>
>>>> Hi I'm looking at RDP protocol and looking for some details.  I'm
>>>> looking for encryption algorithms
>>>> and methods supported by the client.  I believe it would be in the
>>>> following event but not sure where I pulled it from.
>>>>
>>>> event rdp_client_network_data(c: connection, channels:
>>>> ClientChannelList)
>>>>
>>>> Appreciate any insights.
>>>> _______________________________________________
>>>> Zeek mailing list
>>>> zeek at zeek.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>
>>>
>>>
>>> --
>>> Justin
>>>
>>
>
> --
> Justin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/c61f3f56/attachment.html

More information about the Zeek mailing list