From dd2cdb064b2b00f81499261b676531ddbe59e07c Mon Sep 17 00:00:00 2001
From: jeff-bb <38505668+jeff-bb@users.noreply.github.com>
Date: Thu, 19 Jan 2023 16:55:23 -0600
Subject: [PATCH] "Best Guess" unknown keyboard / language variants

If the lookup table does not have an entry, it will just log as the raw decimal language/keyboard code. With this change, if we do not have an entry in the lookup table, we'll look at the low order / 4 least significant bits to see if we have a match. The high order / 4 most significant bits are flags/modifiers to the base language/keyboard code. We'll append that it is a "Best Guess"

(This is my first attempt at Zeek scripting, apologies upfront if I'm missing obvious language features. I feel like the const language lookup should return a success/fail return code that we would key off of, but unsure how to accomplish that so instead went for string matching on value in == value out).
---
 scripts/base/protocols/rdp/main.zeek | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/scripts/base/protocols/rdp/main.zeek b/scripts/base/protocols/rdp/main.zeek
index 7254b1cea6..ea0222e167 100644
--- a/scripts/base/protocols/rdp/main.zeek
+++ b/scripts/base/protocols/rdp/main.zeek
@@ -188,6 +188,13 @@ event rdp_client_core_data(c: connection, data: RDP::ClientCoreData) &priority=5
 	set_session(c);
 
 	c$rdp$keyboard_layout       = RDP::languages[data$keyboard_layout];
+	
+	if (c$rdp$keyboard_layout == fmt("keyboard-%d", data$keyboard_layout))
+		{
+		c$rdp$keyboard_layout = RDP::languages[data$keyboard_layout & 0xffff];
+		c$rdp$keyboard_layout = c$rdp$keyboard_layout + " (Best Guess)";
+		}
+	
 	c$rdp$client_build          = RDP::builds[data$client_build];
 	c$rdp$client_name           = data$client_name;
 	c$rdp$client_dig_product_id = data$dig_product_id;