RDP protocol details

Hi I’m looking at RDP protocol and looking for some details. I’m looking for encryption algorithms
and methods supported by the client. I believe it would be in the following event but not sure where I pulled it from.

event rdp_client_network_data(c: connection, channels: ClientChannelList)

Appreciate any insights.

Does this help?

https://github.com/zeek/zeek/blob/1e488d7ebe2c889b20333a4196512e069e34f630/scripts/base/init-bare.zeek#L4279-L4306

channels is a vector of RDP::ClientChannelDef

Solved: Answer at the bottom.

Yes, that’s the data I’m looking for. Unfortunately when I try to load the event with those details I receive an error.

error in ././trybro.bro, line 11: identifier not defined: RDP::ClientChannelList

http://try.bro.org/#/trybro/saved/329529

I pulled this event from bro/src/analyzer/protocol/rdp/events.bif.
event rdp_client_network_data%(c: connection, channels: RDP::ClientChannelList%);

Am I missing something? maybe need to define that in my init-bare?

Digging into it deeper… looks like it was using GitHub.com/bro vs GitHub.com/zeek. Guess I’ll have to officially migrate off Bro to Zeek.

not so much bro → zeek but that it was just added 8 days ago:

https://github.com/zeek/zeek/pull/384

try.{bro,zeek}.org will work once I build a new master container… I’ll try to get to that soon if not today.

lol, too funny. I look forward to it and thanks.

That said I’m looking for where the client sends it’s supported encryption algos and methods. I’m still learning the protocol, doesn’t look like Bro is parsing out the encryption methods or encoding methods. Actually see the Client security data commented out in rep-protocol.pac.

#0xc002 → client_security: Client_Security_Data;

Looks like there’s still more work to be done with parsing out the data?

For anyone interested I got the Client_Security_Data added to the rdp analyzer. Pull request is open. Please let me know thoughts.

https://github.com/zeek/zeek/pull/400