If an RDP session is “upgraded” to SSL, this will be indicated with this script in a new field added to the RDP log.
policy/protocols/smtp/blocklists.bro
policy/protocols/mysql/software.bro