I would like to add succesfully connected rdp connections to whitelist. And I have no clue how to detect if the connection is succesfully established or it is just another brute force attempt.
I was trying something like":
chain=forward action=add-src-to-address-list connection-state=established protocol=tcp
address-list=rdp_whitelist address-list-timeout=5h in-interface-list=WAN dst-port=3389 log=no log-prefix=""
but brute force attackers also are being added to this list. Because the TCP connection is established before login. Maybe I should detect connections that are established for more than 5 minutes or so (we can presume that the login was succesfull) but I do not know how.