From 2ca0fb6539105447f07c1548a2329c5c351098f9 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Tue, 8 Jul 2025 16:31:57 -0700
Subject: [PATCH] Clarify the cookie field's origin in the RDP log.

---
 scripts/base/protocols/rdp/main.zeek | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/base/protocols/rdp/main.zeek b/scripts/base/protocols/rdp/main.zeek
index f36e052e91..6246ba3f7a 100644
--- a/scripts/base/protocols/rdp/main.zeek
+++ b/scripts/base/protocols/rdp/main.zeek
@@ -18,7 +18,8 @@ export {
 		## The connection's 4-tuple of endpoint addresses/ports.
 		id:                    conn_id &log;
 		## Cookie value used by the client machine.
-		## This is typically a username.
+		## This is typically a username, but note that it will often
+		## be truncated on the wire, to a maximum of 9 characters.
 		cookie:                string  &log &optional;
 		## Status result for the connection.  It's a mix between
 		## RDP negotiation failure messages and GCC server create