[Bro] NTLM parsing in DCE RPC

Seth Hall seth at icir.org
Thu Jul 7 10:06:29 PDT 2016


> On Jul 7, 2016, at 9:45 AM, Florent Monjalet <florent.monjalet at gmail.com> wrote:
> 
> It turns out that for DCE RPC, the NTLM decoding seems broken: the
> NTLM analyzer is called, but the decoding fails to recognize the
> message type, and no `ntlm.log` log is produced. It works very well
> for SMB, though.

I just merged your patch into the topic/seth/smb branch.  I also verified that the change doesn't impact the public tests or a private test I'm maintaining.

I also did another fix to actually load the DPD signature for DCE-RPC.  It makes the port 4997/tcp stuff from that mapi.cap file show up automatically.

Thanks!
  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/




More information about the Bro mailing list