[Bro] NTLM parsing in DCE RPC
Seth Hall
seth at icir.org
Thu Jul 7 10:06:29 PDT 2016
> On Jul 7, 2016, at 9:45 AM, Florent Monjalet <florent.monjalet at gmail.com> wrote:
>
> It turns out that for DCE RPC, the NTLM decoding seems broken: the
> NTLM analyzer is called, but the decoding fails to recognize the
> message type, and no `ntlm.log` log is produced. It works very well
> for SMB, though.
I just merged your patch into the topic/seth/smb branch. I also verified that the change doesn't impact the public tests or a private test I'm maintaining.
I also did another fix to actually load the DPD signature for DCE-RPC. It makes the port 4997/tcp stuff from that mapi.cap file show up automatically.
Thanks!
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list