[Bro] NTLM parsing in DCE RPC
Florent Monjalet
florent.monjalet at gmail.com
Thu Jul 7 10:12:21 PDT 2016
Le jeu. 7 juil. 2016 à 19:06, Seth Hall <seth at icir.org> a écrit :
>
> > On Jul 7, 2016, at 9:45 AM, Florent Monjalet <florent.monjalet at gmail.com>
> wrote:
> >
> > It turns out that for DCE RPC, the NTLM decoding seems broken: the
> > NTLM analyzer is called, but the decoding fails to recognize the
> > message type, and no `ntlm.log` log is produced. It works very well
> > for SMB, though.
>
> I just merged your patch into the topic/seth/smb branch. I also verified
> that the change doesn't impact the public tests or a private test I'm
> maintaining.
>
> I also did another fix to actually load the DPD signature for DCE-RPC. It
> makes the port 4997/tcp stuff from that mapi.cap file show up automatically.
>
Great, thanks again for your great work and reactivity!
Florent
> Thanks!
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160707/ac39912d/attachment.html
More information about the Bro
mailing list