[Bro-Dev] SMB2 - NTLM GSSAPI messages continued

Seth Hall seth at icir.org
Tue Feb 2 08:44:56 PST 2016


> On Feb 2, 2016, at 5:38 AM, Martin van Hensbergen <martin.vanhensbergen at fox-it.com> wrote:
> 
> 1) do we all agree that the SMB_NTLM* functions should be renamed to NTLM* or am I missing something?

Agreed.

> 2) What is the best way to generate a BifEvent with SMB header and all the parsed user/domain/workstation values that were parsed deeper inside the protocol layer?

Just generate them with the connection record as an argument and we can tie together the various protocols at the script layer.  That gives you the possibility to keep the clean abstraction in the core and all of the messy cross-structure stuff can happen in scripts.

> Any help on this is much appreciated; especially if you think I am overlooking a hidden can of worms somewhere ;-)

>From what you've described here and in our off-list emails, I think you're on the right track.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/




More information about the bro-dev mailing list