Pushing out the new NTLM and GSSAPI analyzers.

I accidentally left these out of the previous commit.
2025-10-12 03:28:19 +00:00 · 2016-04-03 04:18:45 -04:00 · 2016-04-03 04:18:45 -04:00 · d6e01b7769
commit d6e01b7769
parent 5b5589e167
18 changed files with 894 additions and 0 deletions
--- a/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
+++ b/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
@ -0,0 +1,49 @@
+refine connection GSSAPI_Conn += {
+	%member{
+		analyzer::Analyzer *ntlm;
+	%}
+
+	%init{
+		ntlm = analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer->Conn());
+	%}
+
+	%cleanup{
+		if ( ntlm )
+			delete ntlm;
+	%}
+
+	function forward_ntlm(data: bytestring, is_orig: bool): bool
+		%{
+		if ( ntlm )
+			ntlm->DeliverStream(${data}.length(), ${data}.begin(), is_orig);
+		return true;
+		%}
+
+	function proc_gssapi_neg_token(val: GSSAPI_NEG_TOKEN): bool
+		%{
+		if ( ${val.is_init} )
+			return true;
+		
+		for ( uint i = 0; i < ${val.resp.args}->size(); ++i )
+			{
+			switch ( ${val.resp.args[i].seq_meta.index} )
+				{
+				case 0:
+					if ( ${val.resp.args[i].args.neg_state} == 0 )
+						{
+						BifEvent::generate_gssapi_accepted(bro_analyzer(), 
+						                                   bro_analyzer()->Conn());
+						}
+					break;
+				
+				default:
+					break;
+				}
+			}
+		return true;
+		%}
+}
+
+refine typeattr GSSAPI_NEG_TOKEN += &let {
+	proc : bool = $context.connection.proc_gssapi_neg_token(this);
+};