Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Improve NTLM authentication logging.

Browse source 
If only one side of a connection was seen, the ntlm.log
would indicate that the authentication failed.  This has been
modified so that the success is listed as null since it's not
known whether or not the authentication was successful.

It can be inferred from continued SMB analysis though because
activity will continue taking place.  I changed it though
because the log shouldn't assume more than what it sees.
This commit is contained in:
Seth Hall 2016-04-13 12:26:07 -04:00
parent dcb8dee3eb
commit a176e053ca
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/base/protocols/ntlm/main.bro
View file

@ -16,7 +16,7 @@ export {
domainname: string &log &optional; domainname: string &log &optional;
## Indicate whether or not the authentication was successful. ## Indicate whether or not the authentication was successful.
success: bool &log &default=F; success: bool &log &optional;
## Internally used field to indicate if the login attempt ## Internally used field to indicate if the login attempt
## has already been logged. ## has already been logged.