Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

More SMB/DCERPC/NTLM cleanup.

Browse source 
- NTLM Authentication failures over SMB2 are now marked as such in
   the ntlm.log.
 - Slightly updated filtering mechanism for DCE/RPC operations.
 - Uncommented the atsvc file so it compiles now.
This commit is contained in:
Seth Hall 2016-04-15 10:39:08 -04:00
parent 1fe9e522fb
commit 72f2c2ded2
4 changed files with 78 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

16
scripts/base/protocols/ntlm/main.bro
View file

@ -52,13 +52,13 @@ event ntlm_authenticate(c: connection, request: NTLM::Authenticate) &priority=5
c$ntlm$username = request$user_name;
}
event gssapi_neg_result(c: connection, state: count) &priority=5
event gssapi_neg_result(c: connection, state: count) &priority=3
{
if ( c?$ntlm )
c$ntlm$success = (state == 0);
}
event gssapi_neg_result(c: connection, state: count) &priority=-5
event gssapi_neg_result(c: connection, state: count) &priority=-3
{
if ( c?$ntlm )
{
@ -70,6 +70,18 @@ event gssapi_neg_result(c: connection, state: count) &priority=-5
}
}
event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=3
{
if ( c?$ntlm &&
( c$ntlm?$username || c$ntlm?$hostname ) &&
hdr$status == 0xC000006D )
{
c$ntlm$success = F;
Log::write(NTLM::LOG, c$ntlm);
c$ntlm$done = T;
}
}
event connection_state_remove(c: connection) &priority=-5
{
if ( c?$ntlm && ! c$ntlm$done )