Hi all,
I have a quick question on the different entries for the “result” column in the rdp.log.
What’s the difference between an “encrypted” v. “Success RDP” result and is there a source with explanations of different results? My Google-Fu is failing 
Any help would be much obliged, thanks!
Josh
Success means that the RDP server successfully accepted the RDP client’s setup parameters. (Note that it doesn’t mean the RDP connection was successful.) Encrypted means that the RDP session setup was already encrypted and the analyzer can’t determine the result. IIRC if the result is encrypted, you will have little to no metadata in the log entry-- maybe just a cookie value.
Josh
Yep, that’s what it looks like. On the encrypted sessions it just has the cookie, result, and security_protocol value.
Is there a way to see if the connection was actually established and successful? (vice just accepting the setup params)
Just enabled the rdp.log and getting used to reading it. Ha.
Thanks a bunch for the help!
Unfortunately there’s no way to prove an RDP connection was established using Bro. You could possibly infer it from the length of the connection and the amount of bytes transferred, but I wouldn’t stake your life on that.
Sweet, we were thinking the same thing about bytes and connection length. Glad to know we weren’t far off.
Unfortunately, we don’t have access to the endpoints right now but we can reach out to the customer and see.
Full pcaps exist as well but no private key (that I know of).
Thanks for the quick answers!
Happy to help! If you all think of an alternate way to infer the establishment, I’d be curious to hear it.
Josh
Will do!