mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Add success indicator to the ntlm.log.
This changes the single gssapi event slightly too.
This commit is contained in:
Seth Hall
parent
b4b9fbb8d2
commit
5d33ac773b
4 changed files with 55 additions and 39 deletions
|
|
@ -14,6 +14,13 @@ export {
|
|||
username: string &log &optional;
|
||||
hostname: string &log &optional;
|
||||
domainname: string &log &optional;
|
||||
|
||||
## Indicate whether or not the authentication was successful.
|
||||
success: bool &log &default=F;
|
||||
|
||||
## Internally used field to indicate if the login attempt
|
||||
## has already been logged.
|
||||
done: bool &default=F;
|
||||
};
|
||||
}
|
||||
|
||||
|
|
@ -28,13 +35,10 @@ event bro_init() &priority=5
|
|||
|
||||
event ntlm_negotiate(c: connection, request: NTLM::Negotiate) &priority=5
|
||||
{
|
||||
#print request;
|
||||
}
|
||||
|
||||
event ntlm_challenge(c: connection, challenge: NTLM::Challenge) &priority=5
|
||||
{
|
||||
#print "challenge!!!!!";
|
||||
#print challenge;
|
||||
}
|
||||
|
||||
event ntlm_authenticate(c: connection, request: NTLM::Authenticate) &priority=5
|
||||
|
|
@ -48,7 +52,28 @@ event ntlm_authenticate(c: connection, request: NTLM::Authenticate) &priority=5
|
|||
c$ntlm$username = request$user_name;
|
||||
}
|
||||
|
||||
event ntlm_authenticate(c: connection, request: NTLM::Authenticate) &priority=-5
|
||||
event gssapi_neg_result(c: connection, state: count) &priority=5
|
||||
{
|
||||
Log::write(NTLM::LOG, c$ntlm);
|
||||
if ( c?$ntlm )
|
||||
c$ntlm$success = (state == 0);
|
||||
}
|
||||
|
||||
event gssapi_neg_result(c: connection, state: count) &priority=-5
|
||||
{
|
||||
if ( c?$ntlm )
|
||||
{
|
||||
if ( c$ntlm?$username || c$ntlm?$hostname )
|
||||
{
|
||||
Log::write(NTLM::LOG, c$ntlm);
|
||||
c$ntlm$done = T;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
event connection_state_remove(c: connection) &priority=-5
|
||||
{
|
||||
if ( c?$ntlm && ! c$ntlm$done )
|
||||
{
|
||||
Log::write(NTLM::LOG, c$ntlm);
|
||||
}
|
||||
}
|
||||
|
|
@ -1,5 +1,7 @@
|
|||
## Generated for GSSAPI messages of type *accept-completed*.
|
||||
## Generated for GSSAPI negotiation results.
|
||||
##
|
||||
## c: The connection.
|
||||
##
|
||||
event gssapi_accepted%(c: connection%);
|
||||
## state: The resulting state of the negotiation.
|
||||
##
|
||||
event gssapi_neg_result%(c: connection, state: count%);
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
|
||||
refine connection GSSAPI_Conn += {
|
||||
%member{
|
||||
analyzer::Analyzer *ntlm;
|
||||
|
|
@ -19,31 +20,25 @@ refine connection GSSAPI_Conn += {
|
|||
return true;
|
||||
%}
|
||||
|
||||
function proc_gssapi_neg_token(val: GSSAPI_NEG_TOKEN): bool
|
||||
function proc_gssapi_neg_result(val: GSSAPI_NEG_TOKEN_RESP_Arg): bool
|
||||
%{
|
||||
if ( ${val.is_init} )
|
||||
return true;
|
||||
|
||||
for ( uint i = 0; i < ${val.resp.args}->size(); ++i )
|
||||
if ( gssapi_neg_result )
|
||||
{
|
||||
switch ( ${val.resp.args[i].seq_meta.index} )
|
||||
{
|
||||
case 0:
|
||||
if ( ${val.resp.args[i].args.neg_state} == 0 )
|
||||
{
|
||||
BifEvent::generate_gssapi_accepted(bro_analyzer(),
|
||||
bro_analyzer()->Conn());
|
||||
}
|
||||
break;
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
BifEvent::generate_gssapi_neg_result(bro_analyzer(),
|
||||
bro_analyzer()->Conn(),
|
||||
binary_to_int64(${val.neg_state.encoding.content}));
|
||||
}
|
||||
|
||||
return true;
|
||||
%}
|
||||
}
|
||||
|
||||
refine typeattr GSSAPI_NEG_TOKEN += &let {
|
||||
proc : bool = $context.connection.proc_gssapi_neg_token(this);
|
||||
refine typeattr GSSAPI_NEG_TOKEN_INIT_Arg_Data += &let {
|
||||
fwd: bool = $context.connection.forward_ntlm(mech_token, true) &if(index==2);
|
||||
};
|
||||
|
||||
refine typeattr GSSAPI_NEG_TOKEN_RESP_Arg += &let {
|
||||
proc: bool = $context.connection.proc_gssapi_neg_result(this) &if(seq_meta.index==0);
|
||||
fwd: bool = $context.connection.forward_ntlm(response_token, false) &if(seq_meta.index==2);
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -32,8 +32,6 @@ type GSSAPI_NEG_TOKEN_INIT_Arg_Data(index: uint8) = case index of {
|
|||
1 -> req_flags : ASN1Encoding;
|
||||
2 -> mech_token : bytestring &restofdata;
|
||||
3 -> mech_list_mic : ASN1OctetString;
|
||||
} &let {
|
||||
fwd: bool = $context.connection.forward_ntlm(mech_token, true) &if(index==2);
|
||||
};
|
||||
|
||||
type GSSAPI_NEG_TOKEN_RESP = record {
|
||||
|
|
@ -43,14 +41,10 @@ type GSSAPI_NEG_TOKEN_RESP = record {
|
|||
|
||||
type GSSAPI_NEG_TOKEN_RESP_Arg = record {
|
||||
seq_meta : ASN1EncodingMeta;
|
||||
args : GSSAPI_NEG_TOKEN_RESP_Arg_Data(seq_meta.index) &length=seq_meta.length;
|
||||
};
|
||||
|
||||
type GSSAPI_NEG_TOKEN_RESP_Arg_Data(index: uint8) = case index of {
|
||||
0 -> neg_state : ASN1Integer;
|
||||
1 -> supported_mech : ASN1Encoding;
|
||||
2 -> response_token : bytestring &restofdata;
|
||||
3 -> mech_list_mic : ASN1OctetString;
|
||||
} &let {
|
||||
fwd: bool = $context.connection.forward_ntlm(response_token, false) &if(index==2);
|
||||
args : case seq_meta.index of {
|
||||
0 -> neg_state : ASN1Integer;
|
||||
1 -> supported_mech : ASN1Encoding;
|
||||
2 -> response_token : bytestring &restofdata;
|
||||
3 -> mech_list_mic : ASN1OctetString;
|
||||
} &length=seq_meta.length;
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue