From bcdba4cc5d992fb064e377d01208175621c84a8b Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Thu, 21 Apr 2016 11:37:16 -0400
Subject: [PATCH] In SMB, don't attach the gssapi analyzer until a message is
 seen.

---
 src/analyzer/protocol/smb/smb-gssapi.pac | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/smb/smb-gssapi.pac b/src/analyzer/protocol/smb/smb-gssapi.pac
index 741f5c5523..004bff776d 100644
--- a/src/analyzer/protocol/smb/smb-gssapi.pac
+++ b/src/analyzer/protocol/smb/smb-gssapi.pac
@@ -5,7 +5,7 @@ refine connection SMB_Conn += {
 	%}
 
 	%init{
-		gssapi = analyzer_mgr->InstantiateAnalyzer("GSSAPI", bro_analyzer->Conn());
+		gssapi = 0;
 	%}
 
 	%cleanup{
@@ -15,6 +15,9 @@ refine connection SMB_Conn += {
 
 	function forward_gssapi(data: bytestring, is_orig: bool): bool
 		%{
+		if ( ! gssapi )
+			gssapi = analyzer_mgr->InstantiateAnalyzer("GSSAPI", bro_analyzer()->Conn());
+
 		if ( gssapi )
 			gssapi->DeliverStream(${data}.length(), ${data}.begin(), is_orig);