mirror of
https://github.com/zeek/zeek.git
synced 2025-10-17 05:58:20 +00:00
5b5589e167
- Looser coupling between these analyzers. - New ntlm.log (still pretty early) - Improved string handling for NTLM (convert UTF16 to UTF8) - SMB2 analyzer now supports GSSAPI. - Improved abstraction of DCE_RPC operations (still not finished) - Lots of whitespace cleanup.
42 lines
923 B
JavaScript
42 lines
923 B
JavaScript
refine connection DCE_RPC_Conn += {
|
|
%member{
|
|
analyzer::Analyzer *gssapi;
|
|
analyzer::Analyzer *ntlm;
|
|
%}
|
|
|
|
%init{
|
|
gssapi = analyzer_mgr->InstantiateAnalyzer("GSSAPI", bro_analyzer->Conn());
|
|
ntlm = analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer->Conn());
|
|
%}
|
|
|
|
%cleanup{
|
|
if ( gssapi )
|
|
delete gssapi;
|
|
if ( ntlm )
|
|
delete ntlm;
|
|
%}
|
|
|
|
function forward_auth(auth: DCE_RPC_Auth, is_orig: bool): bool
|
|
%{
|
|
switch ( ${auth.type} )
|
|
{
|
|
case 0x0a:
|
|
if ( ntlm )
|
|
ntlm->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig);
|
|
break;
|
|
//case 0xXX:
|
|
// if ( gssapi )
|
|
// gssapi->DeliverStream(${data}.length(), ${data}.begin(), is_orig);
|
|
// break;
|
|
default:
|
|
bro_analyzer()->Weird(fmt("unknown_dce_rpc_auth_type_%d",${auth.type}));
|
|
break;
|
|
}
|
|
|
|
return true;
|
|
%}
|
|
};
|
|
|
|
refine typeattr DCE_RPC_Auth += &let {
|
|
proc = $context.connection.forward_auth(this, true);
|
|
}
|