Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add success indicator to the ntlm.log.

Browse source 
This changes the single gssapi event slightly too.
This commit is contained in:
Seth Hall 2016-04-13 12:09:05 -04:00
parent b4b9fbb8d2
commit 5d33ac773b
4 changed files with 55 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

33
scripts/base/protocols/ntlm/main.bro
View file

@ -14,6 +14,13 @@ export {
username: string &log &optional; username: string &log &optional;
hostname: string &log &optional; hostname: string &log &optional;
domainname: string &log &optional; domainname: string &log &optional;
## Indicate whether or not the authentication was successful.
success: bool &log &default=F;
## Internally used field to indicate if the login attempt
## has already been logged.
done: bool &default=F;
}; };
} }
@ -28,13 +35,10 @@ event bro_init() &priority=5
event ntlm_negotiate(c: connection, request: NTLM::Negotiate) &priority=5 event ntlm_negotiate(c: connection, request: NTLM::Negotiate) &priority=5
{ {
#print request;
} }
event ntlm_challenge(c: connection, challenge: NTLM::Challenge) &priority=5 event ntlm_challenge(c: connection, challenge: NTLM::Challenge) &priority=5
{ {
#print "challenge!!!!!";
#print challenge;
} }
event ntlm_authenticate(c: connection, request: NTLM::Authenticate) &priority=5 event ntlm_authenticate(c: connection, request: NTLM::Authenticate) &priority=5
@ -48,7 +52,28 @@ event ntlm_authenticate(c: connection, request: NTLM::Authenticate) &priority=5
c$ntlm$username = request$user_name; c$ntlm$username = request$user_name;
} }
event ntlm_authenticate(c: connection, request: NTLM::Authenticate) &priority=-5 event gssapi_neg_result(c: connection, state: count) &priority=5
{
if ( c?$ntlm )
c$ntlm$success = (state == 0);
}
event gssapi_neg_result(c: connection, state: count) &priority=-5
{
if ( c?$ntlm )
{
if ( c$ntlm?$username || c$ntlm?$hostname )
{
Log::write(NTLM::LOG, c$ntlm);
c$ntlm$done = T;
}
}
}
event connection_state_remove(c: connection) &priority=-5
{
if ( c?$ntlm && ! c$ntlm$done )
{ {
Log::write(NTLM::LOG, c$ntlm); Log::write(NTLM::LOG, c$ntlm);
} }
}

6
src/analyzer/protocol/gssapi/events.bif
View file

@ -1,5 +1,7 @@
## Generated for GSSAPI messages of type *accept-completed*. ## Generated for GSSAPI negotiation results.
## ##
## c: The connection. ## c: The connection.
## ##
event gssapi_accepted%(c: connection%); ## state: The resulting state of the negotiation.
##
event gssapi_neg_result%(c: connection, state: count%);

37
src/analyzer/protocol/gssapi/gssapi-analyzer.pac
View file

@ -1,3 +1,4 @@
refine connection GSSAPI_Conn += { refine connection GSSAPI_Conn += {
%member{ %member{
analyzer::Analyzer *ntlm; analyzer::Analyzer *ntlm;
@ -19,31 +20,25 @@ refine connection GSSAPI_Conn += {
return true; return true;
%} %}
function proc_gssapi_neg_token(val: GSSAPI_NEG_TOKEN): bool function proc_gssapi_neg_result(val: GSSAPI_NEG_TOKEN_RESP_Arg): bool
%{ %{
if ( ${val.is_init} ) if ( gssapi_neg_result )
return true; {
BifEvent::generate_gssapi_neg_result(bro_analyzer(),
bro_analyzer()->Conn(),
binary_to_int64(${val.neg_state.encoding.content}));
}
for ( uint i = 0; i < ${val.resp.args}->size(); ++i )
{
switch ( ${val.resp.args[i].seq_meta.index} )
{
case 0:
if ( ${val.resp.args[i].args.neg_state} == 0 )
{
BifEvent::generate_gssapi_accepted(bro_analyzer(),
bro_analyzer()->Conn());
}
break;
default:
break;
}
}
return true; return true;
%} %}
} }
refine typeattr GSSAPI_NEG_TOKEN += &let { refine typeattr GSSAPI_NEG_TOKEN_INIT_Arg_Data += &let {
proc : bool = $context.connection.proc_gssapi_neg_token(this); fwd: bool = $context.connection.forward_ntlm(mech_token, true) &if(index==2);
}; };
refine typeattr GSSAPI_NEG_TOKEN_RESP_Arg += &let {
proc: bool = $context.connection.proc_gssapi_neg_result(this) &if(seq_meta.index==0);
fwd: bool = $context.connection.forward_ntlm(response_token, false) &if(seq_meta.index==2);
};

10
src/analyzer/protocol/gssapi/gssapi-protocol.pac
View file

@ -32,8 +32,6 @@ type GSSAPI_NEG_TOKEN_INIT_Arg_Data(index: uint8) = case index of {
1 -> req_flags : ASN1Encoding; 1 -> req_flags : ASN1Encoding;
2 -> mech_token : bytestring &restofdata; 2 -> mech_token : bytestring &restofdata;
3 -> mech_list_mic : ASN1OctetString; 3 -> mech_list_mic : ASN1OctetString;
} &let {
fwd: bool = $context.connection.forward_ntlm(mech_token, true) &if(index==2);
}; };
type GSSAPI_NEG_TOKEN_RESP = record { type GSSAPI_NEG_TOKEN_RESP = record {
@ -43,14 +41,10 @@ type GSSAPI_NEG_TOKEN_RESP = record {
type GSSAPI_NEG_TOKEN_RESP_Arg = record { type GSSAPI_NEG_TOKEN_RESP_Arg = record {
seq_meta : ASN1EncodingMeta; seq_meta : ASN1EncodingMeta;
args : GSSAPI_NEG_TOKEN_RESP_Arg_Data(seq_meta.index) &length=seq_meta.length; args : case seq_meta.index of {
};
type GSSAPI_NEG_TOKEN_RESP_Arg_Data(index: uint8) = case index of {
0 -> neg_state : ASN1Integer; 0 -> neg_state : ASN1Integer;
1 -> supported_mech : ASN1Encoding; 1 -> supported_mech : ASN1Encoding;
2 -> response_token : bytestring &restofdata; 2 -> response_token : bytestring &restofdata;
3 -> mech_list_mic : ASN1OctetString; 3 -> mech_list_mic : ASN1OctetString;
} &let { } &length=seq_meta.length;
fwd: bool = $context.connection.forward_ntlm(response_token, false) &if(index==2);
}; };