From a836ece4e634181f28d966b0695e8072b8b79dea Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 26 Oct 2016 10:41:08 -0400
Subject: [PATCH] Including a test for raw NTLM in SMB

---
 .../scripts.base.protocols.smb.raw-ntlm/.stdout |   1 +
 testing/btest/Traces/smb/raw_ntlm_in_smb.pcap   | Bin 0 -> 27214 bytes
 .../scripts/base/protocols/smb/raw-ntlm.test    |  14 ++++++++++++++
 3 files changed, 15 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.raw-ntlm/.stdout
 create mode 100644 testing/btest/Traces/smb/raw_ntlm_in_smb.pcap
 create mode 100644 testing/btest/scripts/base/protocols/smb/raw-ntlm.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.raw-ntlm/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.raw-ntlm/.stdout
new file mode 100644
index 0000000000..054c38f738
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.raw-ntlm/.stdout
@@ -0,0 +1 @@
+\xebr\x96\x86\xfc\xaa\xcf\xad\xb14\x18\xfaIG`\xde
diff --git a/testing/btest/Traces/smb/raw_ntlm_in_smb.pcap b/testing/btest/Traces/smb/raw_ntlm_in_smb.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..8a40175db43205065dfbccfc3d006cf7146778de
GIT binary patch
literal 27214
zcmeHPd3;pm)qd|xHbY>NU?2g6fedRPBq6M_Bq0e&O&~}FBoPRksO({J#V9CP_YD=0
zB6R`9h>8eqU_qr)tAJY(tZkuMV+E>~oqW&p-X(LFxfAX8>-W!h^Lyt`?!EK8=bY!9
z^R6==?|kVAkBATrM}$!D&kfrn#zcSU5ySDGB}Q~E?9wDwbe8W6gvfb6GDqY@Ek3hj
zeLn?d>VdP$n|t5i+Yb+jO`iJtwjT@OiHO{+c)gK|5)&JnvU(NoMR-*7rLO2_ju5@H
zwSj(4+__{$lX@M!SG7C(8y_{uu1ie~VgzMZAbU+z^jXTy8k9E=oPF?g^hJ=r|E9##
z$I=_n1!ZTgJQO9uL(6>Ujvgh^X&H$w?mTdA(bw(1Ua}%i5WTR%klhj8yVoP~P#cTQ
z?%C0;Xqns}49lo??+^Lg*2Kpry*!n2HrSi;`dtwVt|y}RK?70RI!-|5Z-}_3)Q;G}
z74dJ9y{VlI#9$c{AmbD};y_o#)dwl##tZ{7SVkc3DX}9i+}Gd(Haq6jClayvdjs*j
z@@8FayDP{u{dddn4VE1J_a&g~EZICPTZyI*#6$r-*u&bw!v@qOoIdvY=c>Fy#J#}C
zAWQGNBgRO?NF7o0s&C*`3K943up_qL-yoyS0@<_cX@NgAH7uaAGytB|j=VqpvSHKJ
zl#?=!aYY;m&(Dc!8f_q|EGh7$e-QC4WB|=K4a9CAH?U;0V~%oxjHQ#h)`-;efz$!H
zU}`*L$=k+Y$uX9u0$pdxZh;H`PI<E%{8aUU@u(q>@-A;0EU%ik76I{2_y~&)@uqD)
zBHp{%us|?ka(vPgubL47QcyptG;bc>h!|xzPx?_`uZVhPybi)Myxd<>>d#2e%n}|v
z?$1ik$S~dx88SpB?1w+`2<BK8n<?*BVx=jcwU{ywrhKL*`Sdf<k*a8#OM)PAnIYP8
zXVDUb@W!ISh`<|snlIwq-$c!Q8-Mud^LzIyPbwl_?BBKPop#MHDp}I^yYb_GTtAV1
z^g2Wh%}Wn2t=J~kV#Q~`%PR1ac>VTZE5^NWGY~T$h!tO<dKMcm`)-&<#1CQ|5tHK+
zzdo)b*7l+S0J4(GqakqQh04Z}n}~#15zU807x`MbL)1(V!^=xbM~y0z7K!vMpCoSu
zy+kRSF7omJQc)!)3%?j4M&WfVN~XvV>GD<JS}CklDDU;cRo=<Kr>O7U55|h86d{Y1
zY~>N93CWK7jfL!0b+!HikbObBdsTg*>%rI*>a0wV`nC{ahXdL0O%YKqCZNJ^MYf{r
z=YcS7@yAv_((~&{f7tQbM?WrZc?|!`<00{o7>#$4N*6YwzH&6bqeQvr0j2tie7xp~
zp`sVg1){(30LlFcCF~Oscw)YoDys3?Lrg<0Q}8+oM(&04RMg@P`$UvbJ3&%~G2$vQ
z3m~(_B7piuZ^@1j*6UedhJSuhB687Z@=I=Kf!`}pE#jM`Z3k(g-M-{Bo%C#?*-8Bc
zfz*r7!|kK5)FM<REbbr?b03Knb3g-&)$Ki#@^2%eXPhHqa(r~X(QMXc(-n|RySci3
zjK}KsTj3Hy(Cv>JZsEn1Wc=NOvq$kLPvcBC8H;la{ubgKkH5v*c|9-~CVE(0+5d`z
zBg+ylz2(rLu3I9P^>%j(o$fr?Jx^SYG6H{>0NeTS#CCsZ&&f}#rtjUBF@4e40!3;d
zM9qc)`<b+cw14!abDQsfkDm_jaN(Ucyu*ceTDl~ydV%N!SH23aTrGMcOY|36(jWUE
z1k>T0edK=`xDyNehC1rzt+@T{vmZYHVs`TB;$aiN{14Jl>&Ifn>!^ptnuf&lN?Z;*
z+RM#p=;HHrwH>N!l23dw`%+UHf)9!XhW|OHAq-aP#R8dFe`OEC|0p<1pi1cAyzMYU
zX=fL6D0Qd~qz+t!;Eb3uQB?)ODMRTN1m}+}eBw#y#9|FjvEuy=L|n|#lRAQueFY6M
zIX>d_Ejr?>7pcK1#?v?pfacU!5HVgFhgB)acA^r0ZXQx8ibWaHZvY=b7XqCK%G@g1
zC*zW_X(M!w(o_<<%S`CNMIiJO5PIEkEulc(A7WD|x9DfcY$23w3T2M2hx4MVga25f
zMRD0sd`?O;9MXj5WM>yz@V3Ji3w{DlUIr(gal1?w{DJzt3&dxE&SK+a^=}^_;!~Cs
z+(AW5j`uwAlo=5qQ>foMys>hk>K7rB$%)K&Jj-K;b`~{w!?=dt@<0|B0-dQ!#P>Yp
z$!e6zxJ1eKr})GNc+X;EX1mf%GBe-8%*%DPse`~w!k!3K@*rlG8In6P6Ct|Qi)E-R
zN0$!oLmoA}V@Ww4QI94o#IZ_A6fCN8$Dmwjq7$P?OW%fpg$$L{L4njkgKOe_=Pv)$
zObgAmua!^y73eHBqCXzJnuy0gGP{n3m>e%|nqVNdrO5!Yn&#?=H_k*yQu`v_Hd&z@
z*UE(ld0XUMPGZYs*cIR%k4VwP%jfw)I)d&es>v0xdqmbHb6V_I60aRMZ2PRgEax*3
zS1kW^U7O!0{N|e&krrPxkxoO6f7{w8euwugHV4_PU}%C|yx8m@g9gJv4%H<8d+x+?
zlY>BOaigKJqk}}E7IflxumhMcUooH&MUf&-YQ>wnRx_Fl(Nt8H6_*uMR?k~ly%2t_
zJ60%-{s4{gfWczpF#F(><Z#Ax3x|i`6>q^S&W_z;=8!fT)y9V|3A-f@h(DgVfrw>$
z9TDLbdmlC<Laa9o8^xH%NNV^;(Ho}YIjdJpH@xCHC$A9Fe*B;ZrHlZ=C+#K24e~$X
zn%?;d+E*|9pGQ3oUgJTF48usIEh=HLdW|PuiKo{@wYPZ9TXnU8$7_;*dT|9JL!Ba%
z2_Iggd~R68(QBgUHEX2=^qRE_Uxj!=nI0)TQfuC%*2^_9d1Co^j1Tc5L``XuJWrgN
zMDMD(8s{Pu9^-LN*WMT69HqXmxe({WGvqTh-{P$2C7v6aK_Qw*6!m;5I_@*k@n;9q
zuRX=v!Ox5Wxm8HjQ!zxy$Fq}>vUzBt8|OHA6`2I*QgI#d%FvCQ4D1E+)BKeAGqbdD
zC0j&+u5CU(SB!y0Kq57juZ$=m%yQ;Jl9_VQ!bfEEX=k;m7or(&;NUqQl23yM3&ae_
z;)nFQKFm!*9EQ#HgWfU?-jat4EcS@}@k_=}dAd1%0*?n$hpa?I9v|HiTFS}ES7lZu
zqSDp}y9rrrh*dFZM9g``5fKr&HP?&?psw`42)uF5)6uX=4ue2-{}ZVGDm=?#b$?Nz
zB+&h%KQX)ikd<)%_u>9aliH}&Ypp7iW~x!Wqx+Lg8Fwk|+$>o&k9vQ-(xUhKu;kmY
z<oU~X8hW>5<+S7oAnK~vELl-}B@yeH|AV@l0TmIJyz8VHQCDRy1$NABF}%ZyKMbna
z!G?*_h96sO_%>{K95%e-=^veKC@Xffp;7U7t~T5#yX>niUG~6n*bo!jupxTVnm0-t
z-U?OjJlsUQ1hrUfHhl6o5wzikM=dr~5n;nE2n!YQwREl5FoW)ZiflHNSvcl`hAuli
zIeeGB6a!r5j$(A&%f)4gea@)p9e8Rm{_jo1Qe0uNk+D!|F3H$xA>*66+KyG27&?}M
z!Hbs9&%~xs3o+Qxz(R&1JMb5<13wtaYlC2Cjwva30P<8hW_2hTWx4}0h0YphFQ8RR
zy=JR+tO}&&bOTT4Mm}${>Y3YsI6q&AAArunV6LxM*^&!9N0bYNs7WXsqG?$#evQAq
z<7OpzYSMTO|6#!DFDxi1EX*$~7&^RQSbkAKLBX(sp#}N*`8XHm|7vKi@D~g(%r7V|
zC@UCVP&hQ#`j<CC&^AbFArJKB+Z#8((X%nGjYb+$aL0oYd}V2FamlEX5#^P6myQ@S
zssJs0%?7V1FBnzcqp)v&VcyVQg$4aFi{_1w6h7s$X9Z1g{r{U_dxqjN!1n!#e${WE
zqhBFfzcO;@PR9Qkun}f}9orDCy&4m(4Lu8WfKA$tW-4w2>?9eVZ)l#&rAaJ!<a9%P
z?nHdv(^Jb?2(!f46v`cXfbEg-iTUXe18hpuHA``c%wZ>JL8XPof;%D6G-lAEC_OSM
zNz+6k-Ur0c1MKCqiMXS;BO*9?=7<>)`h^@|tNJzhg#+vv=<BfOHb)MyDfymWirWCY
zg=A)ig_&t}wVl$yOsD61=$X@CCgcEHms}lSD>+OA;f@+UfWbuY(Z~TdmHQ6Lg-*fm
z?IbO?6q{-3lm?=YgXlBET9|1e;)ZO+Wq=)kBj-c~#yTQ`=$!QiqMxn<wL%WCRddBr
z`y#4uvO>cETM0M7j#NJ^Kdzcw5!a5%PRvgH;JKqhNiDeYj_3G@({Pj;U(s7}8(_DT
z4zkeVAjjb#duozT-5&VL<RE@j6mo#AYuuOtwyxDPuwk4wz@AZERb7n=bjJ#%(XG%Z
zv{y`6Mh^dRn}x$Yfz;f&@QSkqTF(uM2->LOe;$b6qh=Oc2kNW%sYL9{ofko!&`v5M
zyyERXHm_K3G_jUWsA{98^oDX&X7!44T;;Tjk~1~*0Gl6-Kp98?EEv&V`hbULxA{|k
zf`@KndPsdAMV!Vp7F*}*J0)3q$RM+a<j$?D?YyWa`Q(A8zO;GBW<z^R=S$Zf9&#h4
zkdrSrYEv*biE@1~&70J43ZKD|v#lv4!=ll;rlvvgFbo0JWwRKu<LnBNf#<kp^U;Dh
zlSSOuVirgyXo=Q+-8}2k`SgQ-TRPI67X?!Dy27(g=RaWf10sF^#3&e>#pYQj^RkH;
zm1OoT4H2F-?NT!$OtHhTt)pi(qeso4%`Ew5hT&N^h4w6d5Ur!?nxgy9_N-)9Y&qy@
zoIvmp4TB(B<v>40)Z!Y8&EwW8DbnLC3ov<I>uS4P43BHEex}XirW;mq^tfiI1<RZ~
zIB}Dqd0eKLp?e%}QuAO9W}e%!@`ka4N8FP#_2xf(*0v0{rSzvEedzpiWDYr<yxPoZ
zmy6*g4>SJ^onUa<Ue7;w_Q#qX%)?^!5+&ZZkBI#yI3mJJ-rZ<MgqRJ}S&m-fqjxN&
zJ~%fV<+!HjpNB(x2|vgg0qJJi#EjKeP(*r9H_=U=leAiRc8|tN(Gb<zhcqnyNAH<C
zput*J?@{8FR?>S~n)6lO!*#V?TVhRNz>?pZyayZvS<BITeDt2RtX=xeTFrZ&5KDFM
z;Z0g(ISP;I|BRDb&-pG^`0+oj(H8HRm;AkDp8!|XtnF@%LYW5@CPU0^(RvHEEhyhp
z)qngKb#Z0H9XnU83-2R;;sqSqNm}cESSz%*zBh`#b;~xhZ*^@MNFB=7@>K4#s<qHs
zw%5J2)y0Z<7qzfhy;W=-cnuNb+Bzb_TgPrTBLbwxh+ao;<*GZ95e|#Db~n6rP-t)E
z2a$Hfg#^$JtGCjt-h);yIjObus@u(8H59F2*Hu`E*fJ6AwK@eMJJPU~2$PfIL*=CI
zx>scYgpvp6BuxR+iPHZa(uZdGcV2R`>;elXtHAOh=A;~BhgSp3s|PABQ=GSdMZ~x3
z9TCCuibFP*Lr!t3y@CYcRkSHiDpWW~G3EuWL5?ZTHj<9_Ep!|L9lJrt9shdSMn}jg
zPQ7~Alod}w#i1=Zq8If(^(Twoy925D5wPU>oQa0s9rSov8>EUYUMl+CN5uHij)<`2
zHOR#3^xRH~2r;E9bLj()@sh|pR3&Dxs|_!bHvGNWhWQb&;ZfLd($c$}Z73^tOq52&
zS*SR)4S)EE8ecZhqVZAKFiqMJIKdiIl_fxgJhIqqxVY>CBA)ok5fL_gq|}TEphD)H
zELzH9Lv@0%x$t>#4-4UZL_0iKdB7);UcG8J)T>aoCPNgl0ykJ}uDV=lE6u#hV&=5E
z+HU<}=Hzrt$^>N&a4gCU*(_$(WkY+U%GD1~Cu{9diV$D?*clhlZ|>Y$o|!!a^q`bo
zA!TSzu1%u_Kl+Q=g5COqlbgZGxgiV879`?GAcp4Taygbh`n)3|IJy6IGa@7n!^wp@
zCvl`kJ8YapN>09lY!BcO78@r^m3ESoH5N{81}94}yZ^`8&1{^MxN~wLv$@*Dkdq5F
zPS9Z2qi0Z$OXNbIV5aqcaOGp!XXN8;%al{MCE(*j@-g@ev-ODBB}c*5MInnVMs8mz
z5ug8?g%1@Gd~`TvMx?lg&W<sXBz#aB{-y4u#akS)GDe0YMk3`ppNN*7kxJa6j3*%@
zreI{T@}hK7{NyFd_!fdXk(mD>c)?DcpKfe-gN>K(4H+F{B}v43<hqDQGV+o(XhwU7
zLz$R1{80P*_9{C**}8+f=+^c;_-FpFpA+O`_7|y=d=cVm+^&SuTt;1hMa-$#c{v}`
zbbd_KaSx^+3kp+lWj>m-S=d)uji>e9f0f#@s{PaY9qWQCZP+~5Et16+dQQ<83(wdM
zRKP{JlY>^9c_!k;KwJYoSZtniU*cvW_CDu`NY4Se!TA~>W68=oym8L1Ewt%RkI|#k
zjLA=k8Wi@X^=mTPBWY#Tht5LU5AdGF>O*3?(q6`Pl{vNxuyU7{$;G0I7gTB4I-^(H
z0U#l#Jk@;LLfcd1f$s|O%X}u<&;}6ZLtlbYl}pNVBlj~TuAHd3|1?vPmKjJbECIP^
z2EJ%ek*aq;GJrT6RkGN~t?K?~BDUegR?y^@h6r-+{=|$3kdPfY)m$xw*Avu{`wG?T
z3%oYADwGbAEz91#!V<7G9&GJAGS9>olnT98tyhm{=+x(3ExBhT^}gwKi{AJeMPW58
zd4AwHv))8(HB=FFY8IO%ANuosM7*kvBO)yM`ln_@fK)O}WFzgEVA00+7ZH`%9y=NA
z&BVD1Gyiii@SckI)wnWAp6AQm7*+Vc8voD6-iT?M4c>voF2+xl#@`8v^)LKj-KMY_
z#(xXOpX_hxZ2XvP`-Xef__9|*Q`Mp3JP5&JGgbEZ2{hHWmcBvSTd15{F3w-P-)t%(
zHp_Qw-S!p{anU@B@l`|^KXBBH2(iMnZYhmw-OhV~WMrnTknvXh&tmiS`AR^VdxOQ?
z*q6~g9_CJXcD~Kr1KnG<6t-?W)YeU(5=O4XA^SlGArU!XvGdR;fmTbj%xrg$2M-4%
z54mQmk%zbfw_e{}j}Y+<E?5Vp6AckO+<BuJ5n_eu^|jJ_ebTq^JP%v1Pwk0shiooA
z@s85|4_WMg0QMh;wT}1NzHGC9n4Wkm_WD%0`a!Bj_QVfB%Fvt?+)WF5Yb+KV7f2nJ
z4o=Puc+zY^a<YGkA~r$*78}cJCOu8WBUYAGL~!y43>LKZJBy75K&Baf=a`sU3ttC3
zg_Y%?9#RL{^P7f-P7xh(SG2&JXb~ZsaVD{R^n@m$%twmi<})=-_jydg&ITciEoN?1
zI!Vqf-w7I)4$gLgvnwXS`az>7$S?Ax?7mPb3d%xq@WzwYP0xqg@`CX~tKJUDLi2R%
z7qsfTnHHXQfv1J!slT=^f<8uHy(#|J%We(GfpbKh`GO-Nc>1!T=Qc>=Nj4x<+PR<A
zM)>HRW}cEIPnD7<X$&(@`PigWjDD%g&Ymr<>~xmwSjJJq7S`4F2w<lE+{AZG>_F;p
z?6konjbkU_RX2A2B)8|xv24%j5db^fW_zxGPs8U2>+F06#I2~F#TG@+?m+g=iCS)H
zVKhXrbLtv1B0%Q3N6|&XmriX>QN%F8CnY<XcxQ{EQRo10d*=)^>{nvrBfl~>8f$+1
z9+%2l#_O(}b&;GsZq9<kusOEJN^rJpf|j9a75FZ!6OOZsC}yJ~ssfUQj;NtB^F>-R
zUyqf6)S@VI)^Cns;UPL_t=?3`E>zEA<7~_4<H*^ZhHqfYE%+KDID4SVj0lj$?wqw1
zz5&$M#MuDJ*<#5VecZ+wM}_mzd7Fa5^8}0pr{Y@@{EpoOIWC-n_t)Z+%sWNDbLFqA
z<Zrc^zoMwR+VnQyFLHb@RVR%<SSlQUZ7Fi2_`4sHh2}5!Q(8N^uQ`9Ew*h~{$zR{6
z3~T4;{Cx_<uTVXUjlX@zza`@6rH+W;Z{;^;M1aU|z=qC<?SyYMo-*?{TJpD2@^?Az
z{$l<nU<P28?4DPnD?S12&X%#tZ@#JAZhY63+isFu%Uog6aB%w?)~>Fs{MN*64nV`S
zcJ1&;<G77}&yCwdS!Cjx0~RJ;1Gg*4ZJ)OcCeUY8cU7!u=5g8Rb^v~y6E*7=M?`SD
z^%VngBoU!Un2m1!|Amci2`xNs8{IHVik;O@L*}3XQ_+gL+MbBL6Opl)wg~EtK<>~R
z-Mn(6o8NV#TN$JY9dGrUXu;x2vjuxH-u8i$^L@~#(fW0xbWV-{@mYw)VvD!c|12e9
zg=OwYLj)()-<c5s5^|%Ps$ctGxY2DUawTI({U#Z+;*n&J+fcT<Wac#sGyA~IQp~bH
ze(fDLX5=c$I)|aGE;+Pg#qlX_Bn+>h$xgp$Az>*<I7JeAFE*Quh<5=|AC=oksA!i#
z#I9Q$5kbNTZJ2__S<(tILoNuZs&v33QkCDdYN*)O*RD`{NE>o3IM};S!G_Plh6|@Z
zY_cIL531NQ`)a9pH!2S8$nn3X#{HI9G=46STI`oLZ0M|&>yDgwzt?5RvniH{k6O0s
z^i&aH!@O#Pl?_^Qkwcz!w3OqJC)MW2itzAhdDP$)v5yvnhhM$ZoD&1-=%QT(XJ!LG
z3-`$X%m=&%{|+>yOByV@-HZKowHZmEA#TxM4H}xm2Oz&ngOe+(vof4DlNCRKibK;d
zu#85Fd(%uqMiOWkMjEn<Oh#)?Rdzn;6&RMtVsqttmZ3e%iF%tmd4gsGG(^zwSe6+P
zK%?FJUjgAu#8c+>J5jdZqh<S@gu7_Jdtf(@KJx5_E0p!ShrHraaK>UayC+}iNwY`(
z(d_-j!(jH=SbKP>_-m`#J#mJt7VlTh9$>?}8!n*^Gj}WO*$eRrmPTUKA8W|L&5812
z_<3dRG2_IMHxvnT(EZdS+`P3Fi1-oKi?;vM;o$1Q-YXBio{#!uZVg^j(brhEsE^4}
z7T<P4X`x*Ued1TXs>L<vJ<rDYCmrE4ONLOxCwBB7sjlT%&)V9~YTa1z>Sz2ov2Gs8
zn3c%In70hSgHeF?KNB^SV72ZNT<5f^I^}Br`dd2sdb1!E4|-Uehuz{UV-=$z*)oF6
zm>o#HWDMf#Xl6s}isregjIR+u+yrzMTYRm1?hPWY{;MUvR7Awrx=W1sl86Ag+VEM&
zG}lr1XcTjNb&~OQwT!Q>xNGSjhvJ47ISKjC;}a~_m=nhoG<E1twKvDyC1VhC_<HY8
z`ER~&jXAN^kl!)pIx^-kkE+God?`7;@P*xd>~C3)|E90f8ZB42`A6-GWOHSOg-v`l
zxTHD!<8%gAEw%of;UASi+zhQ)Z2s}|qftcM#2L@v{Hr3uKb~pGzq)_SqJ7uVPLBT3
zNoxj^8^3agIVP@;I>#@q;(f&Hww{+MePpEBM@pL4)n<<1dfwfbs?z%0Y!0D^2(zBo
zNn6kJGW{C)>ewsZx1I78!+|qGJoMb9HumZ@+pBp!&kyDD@C=KMpzL-pkf5&P%>-qR
z0Oe~y`I(;E?351%;%uO?*bu9}>_o(?EgSkYL{L8GpcxS$Vb=3H3$Hh5J?}GAuXkQ;
z5nZ8RoQR0tY+-8+*t(JHdAqN-u@!P-mfDJThJ-S?{>#;p{~SfVE3A6o2ur@h&P&fp
zX1!&)e$?wS7;17G5eNA#+^C4K<c^=rh!9f_h7eOBf~Sk{`Ek#@VZtv{)D$GwNFh6F
z`jV1c$Q*{`>jA}LBVnb|OOi0(Lc%*B;V?+3nDAE{36tE@Y8NgvF%r~;rcT;6iZomS
z6knR5=;5J<%K$L|-~7%;(^`%~i$_1^77bnMXmNiBi^UHIQcJlp>}<L=06~~Pr#Fz}
zfVcy7v)H2HrC(h^#PgO(`b-rO9Ijboa3~Q0a=l>*#{}3_`1;@}a|78&a(KOLAp7I4
zrGad0CxRAgztSt3!J;fyX0fu8Et%!d9|jH4O0k(NYZ8`24&9q!Vir1y-G)An4Q5w1
zm`kNb{qVX}Y9hq_NO2Ag=Kp0Ui`L13bwX#;{2^pJf?fEa<}Paz{O1Jx=Twj3X10lV
zGZ1${aTc5ZY?*Nj5f556&T5G8p9d`-2@pAfybf=i8_;fA1KOqW4Je|lve6w;>Xfz0
zwL$GIeW=vpLnq)v$PT9}>et$QC`^NjP5$yncOqni8qP=jv`su;Fl_Xw=bzD_mO;7D
zE)d&-gbhAnaRCJU@LSoScE^0U)`v1u$ZQ~nZcvNfBBHP)r7RT@E^t+q84(JFX;9OI
zHzKG(tw;4P4Qe0B)+RGs!*8vt?Ueww(toFUAoHP`7sG9kfjg-UYU|Z*mfT-Ny%%t2
zPEauQN`NIdut81x#;i9TFCU1n0iDGbOdGdtBjP<@I3mK5Zzh`&0W#l6UXIDQyYM05
z33G#*Aye3V*`W5qU7<IqKPL?zfhH~uY+p&r91AHMK*}9hgV~a%jpTwz3DdxKZ&U+o
zgo_qF_69cMaW_t{kR#B#xfTZQ2&9hiv4Kr%Vlc2#Z(yHU>vh>1IC%{@J(B2%2u}Nb
zXhsAbVfF_0&=O?u-at)Ve3<WS6K#=9kg89={e)}k>nC~pm6^8@KJaz~yp3zsL6uhH
z4K@fjmgu3SzDSw+^zr1{%Z_~-JeF|ZPul3cfnP(p(5Y{`96sJ*89w$p0&=;j>P)wQ
zLB;brxoy^Y#Us#?#TKx43|dceo5WklRS`k%(Z|e)02#@EU5hvN){ocHMN8h(j?F&(
zo%tLQA%-=@*O_v7nR(^1QIUq?)=m+&68D#^er#bC`>L`B)Wn~R%-w0QnuHX&k%<0f
zQ6d#xEEcQcN>VZ68{Nhq&5CCakfwy<eJXUtcOi2(O@f$*sQ5Yx?3k%~isW>D4SNQk
zkOwL@jvBmc@M>*d4^2{IoBaWf8w5)*cg6L{$(RG=9%TMDAAi1yBk^?n+UOj-n<ak}
zcD|e?l)nwE$t1sXh4)(I(PaDXigIhG21pV%+DYi$8cSn=@ymlrpxMIBTKA+VtT^fJ
zD1&_~S0ek-F63&{VKY~~TZ1e4qeESg9n=<o*VW{Th=(4Ea_RIH%0Yw2@`F$sBG{ic
z!axL_lKn89z6^&>pNHznqXw@H?E8hh^RqjBz7<h!vnUr!dWKo(!LI1u_(`;XuluRF
zi5|LXm`-1YmieOo8=byPD3=GBSnMwF+!u6#$1S70-uMNtGPx_d(<w7ybb;wWM1+Ny
zMY(q!5x4P6??Ig(4G}IdKE;d(pfH`jOyP|R>hyh&>Rmd010`FQpFJ<buIS$Q1+RZE
zcrC`pR+w3oOh_n$DfSUJOFmLey<g;x;9$M+ds}64S9GU!X1!_2VjzYdK^;ma;x(2@
z@7^jREIH|WGa|$c6HHnEg<wi~)HRp}NqP#*!BmEQ(|t-XZT-V>ZAif65Sy~A5y6zD
z1yl5YBbaiaT<BohI+TRn$FBtjxj>&1xWIXKBRW26CX6mH4~U_IY4uG++&IY*5iT(9
zRWoAvVCp5j(LurVEvk13roob}^%l0ygRSep*1NBcR;v$UD@-uSQ3drr?`p~CU!mTs
zEW0WCTo*_k*^witjyZ<jGxe6~smK_YVEW)CB3}Qw#gZx_EIIa51M&C4EmP<z$?RXW
zpKUJsF%z()eHD5VRrnGDzmUK_1i$|@34Mwx+~H3ZsVOHWI>v2>FD7j;V|=@ro{=3v
z&l#=(^__0e(*nT+y~6Ez%Elv&+w+tK$wEiM+&#4RXSo(@p8<a}!QZ(+E0eWb&?Bw{
zB1gY0wuWlsMTdykjZ6E%v85t{zm>&iM1X`D0ryr%z~<@5h7qv*O>OIRWV&$TZ!%b8
zPjM<Lr6#E{uB_!q)^4+~HnXm_FMcHb^s%02e=cjiQE%f|8w|-pvv$D=+IWcN=fC>m
PH_u1DLe^5pnQi<(yueRy

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/smb/raw-ntlm.test b/testing/btest/scripts/base/protocols/smb/raw-ntlm.test
new file mode 100644
index 0000000000..6e09ef7ded
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/raw-ntlm.test
@@ -0,0 +1,14 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/raw_ntlm_in_smb.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/ntlm
+@load policy/protocols/smb
+
+# Just verify that the session key is grabbed correctly from NTLM 
+# carried raw over SMB.
+
+event ntlm_authenticate(c: connection, request: NTLM::Authenticate)
+	{
+	if ( request?$session_key )
+		print request$session_key;
+	}
\ No newline at end of file