When Zeek dectect RDP connection, only show the first 9 characters of Unername (Cookie value).
It’s posible that my Zeek V4.2 by defect detect length of this variables is 9 character? How can I change it? Thx.
Hello Cote - i haven’t looked in earnest, but could you by any chance share a pcap where you would expect Zeek to show more characters? A wireshark vs. zeek screenshot might also help.
This would make it much easier to tackle the issue.
Thanks,
Arne
Hi waelzel, thx for response.
I will try to explain with screanshoots.
The first screen is a sample of a RDP log, where you can see the users ( platos\ex and PAESSLERG)
The rule that makes detect the RDP conexion is in the file “logFlow_rdp.zeek”
And the file who detect the username is “rdp-protocol.pac”. I think, this file can be some error with regex and the character " \ ", but all users are cut off at 9 characters.
Someone? It is important
Hello @cote, without a pcap this is difficult to track down. Maybe the RE/[^\x0d]*/ part should be different, but in that case the cookie would contain \x0d and that would be good to verify via a real capture.
And the file who detect the username is “rdp-protocol.pac”. I think, this file can be some error with regex and the character " \ ", but all users are cut off at 9 characters.
Do you have output from a different tool (wireshark?) that is giving you more information?
When we’ve looked into this, it appears that the basic problem is that the cookie is truncated when transmitted, so there is no way for Zeek to recover the additional characters because they simply don’t appear on the wire 
.