[Bro-Dev] SMB2 - NTLM GSSAPI messages

Vlad Grigorescu vlad at grigorescu.org
Mon Jan 25 10:39:52 PST 2016

My intention for this was to do the parsing at the PAC level, but it wasn't
possible at the time. In the meantime, BinPAC now supports including files
from other directories, so just how ASN1 is now a BinPAC library shared by
SNMP and Kerberos, I would envision GSSAPI to become a library. This would
also allow parsing of NTLM auth over HTTP.


On Mon, Jan 25, 2016 at 10:33 AM, Seth Hall <seth at icir.org> wrote:

> > On Jan 25, 2016, at 11:17 AM, Martin van Hensbergen <
> martin.vanhensbergen at fox-it.com> wrote:
> >
> > 1) (pac level) Make a separate library of the parsing of the GSSAPI blob
> ( as I think this is independent of whether SMB1 or SMB2 is used ), which
> returns the parsed ASN1 structure when called. Then both the SMB1 and SMB2
> parser can use these functions.
> Yep, that's probably the right way.  We never had enough time to get that
> integrated more cleanly.
> > 2) (bro script level) Make an ASN1 parser at the bro script level that
> does the parsing there. I would not opt for this route as it probably would
> be to slow and then we would have two places where this parsing is done.
> This is almost certainly not a great idea as you learned. :)
>   .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160125/0ff3330c/attachment.html 

More information about the bro-dev mailing list