mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
115 lines
2.8 KiB
Text
115 lines
2.8 KiB
Text
@load base/frameworks/dpd
|
|
|
|
module NTLM;
|
|
|
|
export {
|
|
redef enum Log::ID += { LOG };
|
|
|
|
type Info: record {
|
|
## Timestamp for when the event happened.
|
|
ts : time &log;
|
|
## Unique ID for the connection.
|
|
uid : string &log;
|
|
## The connection's 4-tuple of endpoint addresses/ports.
|
|
id : conn_id &log;
|
|
|
|
## Username given by the client.
|
|
username : string &log &optional;
|
|
## Hostname given by the client.
|
|
hostname : string &log &optional;
|
|
## Domainname given by the client.
|
|
domainname : string &log &optional;
|
|
|
|
## NetBIOS name given by the server in a CHALLENGE.
|
|
server_nb_computer_name: string &log &optional;
|
|
## DNS name given by the server in a CHALLENGE.
|
|
server_dns_computer_name: string &log &optional;
|
|
## Tree name given by the server in a CHALLENGE.
|
|
server_tree_name: string &log &optional;
|
|
|
|
## Indicate whether or not the authentication was successful.
|
|
success : bool &log &optional;
|
|
|
|
## Internally used field to indicate if the login attempt
|
|
## has already been logged.
|
|
done: bool &default=F;
|
|
};
|
|
}
|
|
|
|
redef DPD::ignore_violations += { Analyzer::ANALYZER_NTLM };
|
|
|
|
redef record connection += {
|
|
ntlm: Info &optional;
|
|
};
|
|
|
|
event zeek_init() &priority=5
|
|
{
|
|
Log::create_stream(NTLM::LOG, [$columns=Info, $path="ntlm"]);
|
|
}
|
|
|
|
function set_session(c: connection)
|
|
{
|
|
if ( ! c?$ntlm )
|
|
c$ntlm = NTLM::Info($ts=network_time(), $uid=c$uid, $id=c$id);
|
|
}
|
|
|
|
event ntlm_negotiate(c: connection, request: NTLM::Negotiate) &priority=5
|
|
{
|
|
set_session(c);
|
|
}
|
|
|
|
event ntlm_challenge(c: connection, challenge: NTLM::Challenge) &priority=5
|
|
{
|
|
set_session(c);
|
|
|
|
if ( challenge?$target_info )
|
|
{
|
|
local ti = challenge$target_info;
|
|
if ( ti?$nb_computer_name )
|
|
c$ntlm$server_nb_computer_name = ti$nb_computer_name;
|
|
if ( ti?$dns_computer_name )
|
|
c$ntlm$server_dns_computer_name = ti$dns_computer_name;
|
|
if ( ti?$dns_tree_name )
|
|
c$ntlm$server_tree_name = ti$dns_tree_name;
|
|
}
|
|
}
|
|
|
|
event ntlm_authenticate(c: connection, request: NTLM::Authenticate) &priority=5
|
|
{
|
|
set_session(c);
|
|
|
|
if ( request?$domain_name )
|
|
c$ntlm$domainname = request$domain_name;
|
|
if ( request?$workstation )
|
|
c$ntlm$hostname = request$workstation;
|
|
if ( request?$user_name )
|
|
c$ntlm$username = request$user_name;
|
|
}
|
|
|
|
event gssapi_neg_result(c: connection, state: count) &priority=3
|
|
{
|
|
# Ignore "incomplete" replies (state==1)
|
|
if ( c?$ntlm && state != 1 )
|
|
c$ntlm$success = (state == 0);
|
|
}
|
|
|
|
event gssapi_neg_result(c: connection, state: count) &priority=-3
|
|
{
|
|
if ( c?$ntlm && ! c$ntlm$done )
|
|
{
|
|
# Only write if success is actually set to something...
|
|
if ( c$ntlm?$success )
|
|
{
|
|
Log::write(NTLM::LOG, c$ntlm);
|
|
c$ntlm$done = T;
|
|
}
|
|
}
|
|
}
|
|
|
|
event connection_state_remove(c: connection) &priority=-5
|
|
{
|
|
if ( c?$ntlm && ! c$ntlm$done )
|
|
{
|
|
Log::write(NTLM::LOG, c$ntlm);
|
|
}
|
|
}
|