From dd2cdb064b2b00f81499261b676531ddbe59e07c Mon Sep 17 00:00:00 2001
From: jeff-bb <38505668+jeff-bb@users.noreply.github.com>
Date: Thu, 19 Jan 2023 16:55:23 -0600
Subject: [PATCH 1/3] "Best Guess" unknown keyboard / language variants

If the lookup table does not have an entry, it will just log as the raw decimal language/keyboard code. With this change, if we do not have an entry in the lookup table, we'll look at the low order / 4 least significant bits to see if we have a match. The high order / 4 most significant bits are flags/modifiers to the base language/keyboard code. We'll append that it is a "Best Guess"

(This is my first attempt at Zeek scripting, apologies upfront if I'm missing obvious language features. I feel like the const language lookup should return a success/fail return code that we would key off of, but unsure how to accomplish that so instead went for string matching on value in == value out).
---
 scripts/base/protocols/rdp/main.zeek | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/scripts/base/protocols/rdp/main.zeek b/scripts/base/protocols/rdp/main.zeek
index 7254b1cea6..ea0222e167 100644
--- a/scripts/base/protocols/rdp/main.zeek
+++ b/scripts/base/protocols/rdp/main.zeek
@@ -188,6 +188,13 @@ event rdp_client_core_data(c: connection, data: RDP::ClientCoreData) &priority=5
 	set_session(c);
 
 	c$rdp$keyboard_layout       = RDP::languages[data$keyboard_layout];
+	
+	if (c$rdp$keyboard_layout == fmt("keyboard-%d", data$keyboard_layout))
+		{
+		c$rdp$keyboard_layout = RDP::languages[data$keyboard_layout & 0xffff];
+		c$rdp$keyboard_layout = c$rdp$keyboard_layout + " (Best Guess)";
+		}
+	
 	c$rdp$client_build          = RDP::builds[data$client_build];
 	c$rdp$client_name           = data$client_name;
 	c$rdp$client_dig_product_id = data$dig_product_id;

From 04113b13d5de5b72037b404b91be480ebd93f5bc Mon Sep 17 00:00:00 2001
From: jeff-bb <38505668+jeff-bb@users.noreply.github.com>
Date: Fri, 20 Jan 2023 08:29:55 -0600
Subject: [PATCH 2/3] Avoid excessive fmt calls, return default behavior on
 unknown

Using "in" to query the language const. This also handles the case of not having a best guess and continue using the existing behavior.

Given
keyboard_layout = 1033 (0x0409), "keyboard-English - United States"
keyboard_layout = 66569 (0x00010409), "keyboard-English - United States (Best Guess)"
keyboard_layout = 12345 (0x3039), "keyboard-12345"
---
 scripts/base/protocols/rdp/main.zeek | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/scripts/base/protocols/rdp/main.zeek b/scripts/base/protocols/rdp/main.zeek
index ea0222e167..310784073a 100644
--- a/scripts/base/protocols/rdp/main.zeek
+++ b/scripts/base/protocols/rdp/main.zeek
@@ -187,13 +187,21 @@ event rdp_client_core_data(c: connection, data: RDP::ClientCoreData) &priority=5
 	{
 	set_session(c);
 
-	c$rdp$keyboard_layout       = RDP::languages[data$keyboard_layout];
-	
-	if (c$rdp$keyboard_layout == fmt("keyboard-%d", data$keyboard_layout))
+	if (data$keyboard_layout in RDP::languages)
 		{
-		c$rdp$keyboard_layout = RDP::languages[data$keyboard_layout & 0xffff];
-		c$rdp$keyboard_layout = c$rdp$keyboard_layout + " (Best Guess)";
+		c$rdp$keyboard_layout = RDP::languages[data$keyboard_layout];
 		}
+	else
+		{
+		if (data$keyboard_layout & 0xffff in RDP::languages)
+			{
+			c$rdp$keyboard_layout = fmt("%s (Best Guess)", RDP::languages[data$keyboard_layout & 0xffff]);
+			}
+		else
+			{
+			c$rdp$keyboard_layout = fmt("keyboard-%d", data$keyboard_layout);
+			}
+	}
 	
 	c$rdp$client_build          = RDP::builds[data$client_build];
 	c$rdp$client_name           = data$client_name;

From 7085104c3394e4f606fed90ace37c714b9588df6 Mon Sep 17 00:00:00 2001
From: jeff-bb <38505668+jeff-bb@users.noreply.github.com>
Date: Mon, 23 Jan 2023 09:12:48 -0600
Subject: [PATCH 3/3] Log raw keyboard value on best guess

---
 scripts/base/protocols/rdp/main.zeek | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/base/protocols/rdp/main.zeek b/scripts/base/protocols/rdp/main.zeek
index 310784073a..488204e0c8 100644
--- a/scripts/base/protocols/rdp/main.zeek
+++ b/scripts/base/protocols/rdp/main.zeek
@@ -195,7 +195,7 @@ event rdp_client_core_data(c: connection, data: RDP::ClientCoreData) &priority=5
 		{
 		if (data$keyboard_layout & 0xffff in RDP::languages)
 			{
-			c$rdp$keyboard_layout = fmt("%s (Best Guess)", RDP::languages[data$keyboard_layout & 0xffff]);
+			c$rdp$keyboard_layout = fmt("%s (Best Guess of %d)", RDP::languages[data$keyboard_layout & 0xffff], data$keyboard_layout);
 			}
 		else
 			{