mirror of
https://github.com/zeek/zeek.git
synced 2025-10-07 00:58:19 +00:00
a176e053ca
If only one side of a connection was seen, the ntlm.log would indicate that the authentication failed. This has been modified so that the success is listed as null since it's not known whether or not the authentication was successful. It can be inferred from continued SMB analysis though because activity will continue taking place. I changed it though because the log shouldn't assume more than what it sees.
79 lines
No EOL
1.7 KiB
Text
79 lines
No EOL
1.7 KiB
Text
module NTLM;
|
|
|
|
export {
|
|
redef enum Log::ID += { LOG };
|
|
|
|
type Info: record {
|
|
## Timestamp for when the event happened.
|
|
ts : time &log;
|
|
## Unique ID for the connection.
|
|
uid : string &log;
|
|
## The connection's 4-tuple of endpoint addresses/ports.
|
|
id : conn_id &log;
|
|
|
|
username: string &log &optional;
|
|
hostname: string &log &optional;
|
|
domainname: string &log &optional;
|
|
|
|
## Indicate whether or not the authentication was successful.
|
|
success: bool &log &optional;
|
|
|
|
## Internally used field to indicate if the login attempt
|
|
## has already been logged.
|
|
done: bool &default=F;
|
|
};
|
|
}
|
|
|
|
redef record connection += {
|
|
ntlm: Info &optional;
|
|
};
|
|
|
|
event bro_init() &priority=5
|
|
{
|
|
Log::create_stream(NTLM::LOG, [$columns=Info, $path="ntlm"]);
|
|
}
|
|
|
|
event ntlm_negotiate(c: connection, request: NTLM::Negotiate) &priority=5
|
|
{
|
|
}
|
|
|
|
event ntlm_challenge(c: connection, challenge: NTLM::Challenge) &priority=5
|
|
{
|
|
}
|
|
|
|
event ntlm_authenticate(c: connection, request: NTLM::Authenticate) &priority=5
|
|
{
|
|
c$ntlm = NTLM::Info($ts=network_time(), $uid=c$uid, $id=c$id);
|
|
if ( request?$domain_name )
|
|
c$ntlm$domainname = request$domain_name;
|
|
if ( request?$workstation )
|
|
c$ntlm$hostname = request$workstation;
|
|
if ( request?$user_name )
|
|
c$ntlm$username = request$user_name;
|
|
}
|
|
|
|
event gssapi_neg_result(c: connection, state: count) &priority=5
|
|
{
|
|
if ( c?$ntlm )
|
|
c$ntlm$success = (state == 0);
|
|
}
|
|
|
|
event gssapi_neg_result(c: connection, state: count) &priority=-5
|
|
{
|
|
if ( c?$ntlm )
|
|
{
|
|
if ( c$ntlm?$username || c$ntlm?$hostname )
|
|
{
|
|
Log::write(NTLM::LOG, c$ntlm);
|
|
c$ntlm$done = T;
|
|
}
|
|
}
|
|
}
|
|
|
|
event connection_state_remove(c: connection) &priority=-5
|
|
{
|
|
if ( c?$ntlm && ! c$ntlm$done )
|
|
{
|
|
Log::write(NTLM::LOG, c$ntlm);
|
|
}
|
|
} |