[Bro] Capturing active directory authentication

Seth Hall seth at broala.com
Tue May 17 18:30:29 PDT 2016

> On May 17, 2016, at 7:12 AM, Monah Baki <monahbaki at gmail.com> wrote:
> Our bro sensor is connected to a tap, I would like to capture users Active directory and their IP address for tracking purposes. Is this possible?

It should be in Bro 2.5.  There is an SMB analyzer in development that includes an NTLM analyzer.


Seth Hall * Broala * seth at broala.com * www.broala.com

More information about the Bro mailing list