base/protocols/ntlm/main.zeek

NTLM
Namespace

NTLM

Imports

base/protocols/conn/removal-hooks.zeek

Summary

Types

NTLM::Info: record

Redefinitions

DPD::ignore_violations: set &redef

Log::ID: enum

connection: record
New Fields

connection

ntlm: NTLM::Info &optional

Hooks

NTLM::finalize_ntlm: Conn::RemovalHook

NTLM finalization hook.

NTLM::log_policy: Log::PolicyHook

Detailed Interface

Types

NTLM::Info
Type

record

ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

username: string &log &optional

Username given by the client.

hostname: string &log &optional

Hostname given by the client.

domainname: string &log &optional

Domainname given by the client.

server_nb_computer_name: string &log &optional

NetBIOS name given by the server in a CHALLENGE.

server_dns_computer_name: string &log &optional

DNS name given by the server in a CHALLENGE.

server_tree_name: string &log &optional

Tree name given by the server in a CHALLENGE.

success: bool &log &optional

Indicate whether or not the authentication was successful.

done: bool &default = F &optional

Internally used field to indicate if the login attempt has already been logged.

Hooks

NTLM::finalize_ntlm
Type

Conn::RemovalHook

NTLM finalization hook. Remaining NTLM info may get logged when it’s called.

NTLM::log_policy
Type

Log::PolicyHook