Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

ldap: Add Sicily Authentication constants

Browse source 
The aduser1-ntlm.pcap contains bindRequest messages using Microsoft AD
specific Sicily Authentication [1]. Add the entries to the enum so we
don't log undefined for these and also check the NTLMSSP signature.

[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/8b9dbfb2-5b6a-497a-a533-7e709cb9a982
This commit is contained in:
Arne Welzel 2025-04-11 17:38:58 +02:00
parent ff58be2f36
commit 07bf7f8b18
3 changed files with 26 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/base/protocols/ldap/main.zeek
View file

@ -380,6 +380,10 @@ event LDAP::bind_request(c: connection,
m$opcode = BIND_SIMPLE;
} else if (authType == LDAP::BindAuthType_BIND_AUTH_SASL) {
m$opcode = BIND_SASL;
} else if (authType == LDAP::BindAuthType_SICILY_NEGOTIATE ) {
m$opcode = "sicily_negotiate";
} else if (authType == LDAP::BindAuthType_SICILY_RESPONSE ) {
m$opcode = "sicily_response";
} else {
Reporter::conn_weird("LDAP_unknown_auth_type", c, cat(authType), "LDAP");
m$opcode = cat(authType);