main.zeek¶

Summary¶

`DPD::ignore_violations`: `set` `&redef`
`Log::ID`: `enum`	`NTLM::LOG`
`connection`: `record`	New Fields `connection` ntlm: `NTLM::Info` `&optional`

`NTLM::finalize_ntlm`: `Conn::RemovalHook`	NTLM finalization hook.
`NTLM::log_policy`: `Log::PolicyHook`

NTLM::Info¶

Type

record

ts: time &log: Timestamp for when the event happened.
uid: string &log: Unique ID for the connection.
id: conn_id &log: The connection’s 4-tuple of endpoint addresses/ports.
username: string &log &optional: Username given by the client.
hostname: string &log &optional: Hostname given by the client.
domainname: string &log &optional: Domainname given by the client.
server_nb_computer_name: string &log &optional: NetBIOS name given by the server in a CHALLENGE.
server_dns_computer_name: string &log &optional: DNS name given by the server in a CHALLENGE.
server_tree_name: string &log &optional: Tree name given by the server in a CHALLENGE.
success: bool &log &optional: Indicate whether or not the authentication was successful.
done: bool &default = F &optional: Internally used field to indicate if the login attempt has already been logged.

NTLM::finalize_ntlm¶

NTLM finalization hook. Remaining NTLM info may get logged when it’s called.

NTLM::log_policy¶