[Bro] NTLM parsing in DCE RPC
florent.monjalet at gmail.com
Thu Jul 7 10:12:21 PDT 2016
Le jeu. 7 juil. 2016 à 19:06, Seth Hall <seth at icir.org> a écrit :
> > On Jul 7, 2016, at 9:45 AM, Florent Monjalet <florent.monjalet at gmail.com>
> > It turns out that for DCE RPC, the NTLM decoding seems broken: the
> > NTLM analyzer is called, but the decoding fails to recognize the
> > message type, and no `ntlm.log` log is produced. It works very well
> > for SMB, though.
> I just merged your patch into the topic/seth/smb branch. I also verified
> that the change doesn't impact the public tests or a private test I'm
> I also did another fix to actually load the DPD signature for DCE-RPC. It
> makes the port 4997/tcp stuff from that mapi.cap file show up automatically.
Great, thanks again for your great work and reactivity!
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro