Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'topic/foxds/dcerpc_auth' of ssh://github.com/fox-ds/zeek

Browse source 
* 'topic/foxds/dcerpc_auth' of ssh://github.com/fox-ds/zeek:
  Fix protocol forwarding in dce_rpc-auth
  Fix protocol forwarding in dce_rpc-auth
This commit is contained in:
Robin Sommer 2021-09-23 17:48:13 +02:00
commit dd5d6e1756
11 changed files with 79 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

11
testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/dce_rpc.log Normal file
View file

@ -0,0 +1,11 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dce_rpc
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p rtt named_pipe endpoint operation
#types time string addr port addr port interval string string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.10.10.121 58774 10.10.10.100 49676 0.000758 49676 netlogon NetrLogonSamLogonWithFlags
#close XXXX-XX-XX-XX-XX-XX

11
testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/weird.log Normal file
View file

@ -0,0 +1,11 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source
#types time string addr port addr port string string bool string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.10.10.121 58774 10.10.10.100 49676 netlogon_dce_rpc_auth_type 68 F zeek DCE_RPC
#close XXXX-XX-XX-XX-XX-XX

11
testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_ntlm/ntlm.log Normal file
View file

@ -0,0 +1,11 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ntlm
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p username hostname domainname server_nb_computer_name server_dns_computer_name server_tree_name success
#types time string addr port addr port string string string string string string bool
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.10.10.121 58772 10.10.10.120 54784 - - - CBTH-WS-2 CBTH-WS-2.blackclover.local blackclover.local -
#close XXXX-XX-XX-XX-XX-XX

BIN
testing/btest/Traces/dce-rpc/dce_rpc_netlogon.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/dce-rpc/dce_rpc_ntlm.pcap Normal file
View file

Binary file not shown.

7
testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_netlogon.zeek Normal file
View file

@ -0,0 +1,7 @@
# @TEST-EXEC: zeek -b -r $TRACES/dce-rpc/dce_rpc_netlogon.pcap %INPUT
# @TEST-EXEC: btest-diff weird.log
# @TEST-EXEC: btest-diff dce_rpc.log
@load base/protocols/dce-rpc
@load base/protocols/ntlm
@load base/frameworks/notice/weird

5
testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_ntlm.zeek Normal file
View file

@ -0,0 +1,5 @@
# @TEST-EXEC: zeek -b -r $TRACES/dce-rpc/dce_rpc_ntlm.pcap %INPUT
# @TEST-EXEC: btest-diff ntlm.log
@load base/protocols/dce-rpc
@load base/protocols/ntlm

2
testing/external/commit-hash.zeek-testing-private vendored
View file

@ -1 +1 @@
44cc696ed070bf7569848437ab1368d557ace4e5
67f592e6a84d236aaf5cc08c91c71625a095e49a