From a176e053ca30a22e0ab33703c050794e2eb8e7d6 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 13 Apr 2016 12:26:07 -0400 Subject: [PATCH] Improve NTLM authentication logging. If only one side of a connection was seen, the ntlm.log would indicate that the authentication failed. This has been modified so that the success is listed as null since it's not known whether or not the authentication was successful. It can be inferred from continued SMB analysis though because activity will continue taking place. I changed it though because the log shouldn't assume more than what it sees. --- scripts/base/protocols/ntlm/main.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/base/protocols/ntlm/main.bro b/scripts/base/protocols/ntlm/main.bro index 484ccf334f..5252157d7c 100644 --- a/scripts/base/protocols/ntlm/main.bro +++ b/scripts/base/protocols/ntlm/main.bro @@ -16,7 +16,7 @@ export { domainname: string &log &optional; ## Indicate whether or not the authentication was successful. - success: bool &log &default=F; + success: bool &log &optional; ## Internally used field to indicate if the login attempt ## has already been logged.