[Bro-Dev] SMB2 - NTLM GSSAPI messages
Seth Hall
seth at icir.org
Mon Jan 25 08:33:56 PST 2016
> On Jan 25, 2016, at 11:17 AM, Martin van Hensbergen <martin.vanhensbergen at fox-it.com> wrote:
>
> 1) (pac level) Make a separate library of the parsing of the GSSAPI blob ( as I think this is independent of whether SMB1 or SMB2 is used ), which returns the parsed ASN1 structure when called. Then both the SMB1 and SMB2 parser can use these functions.
Yep, that's probably the right way. We never had enough time to get that integrated more cleanly.
> 2) (bro script level) Make an ASN1 parser at the bro script level that does the parsing there. I would not opt for this route as it probably would be to slow and then we would have two places where this parsing is done.
This is almost certainly not a great idea as you learned. :)
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the bro-dev
mailing list