> On Feb 2, 2016, at 5:38 AM, Martin van Hensbergen > <[email protected]> wrote: > > 1) do we all agree that the SMB_NTLM* functions should be renamed to NTLM* or > am I missing something?
Agreed. > 2) What is the best way to generate a BifEvent with SMB header and all the > parsed user/domain/workstation values that were parsed deeper inside the > protocol layer? Just generate them with the connection record as an argument and we can tie together the various protocols at the script layer. That gives you the possibility to keep the clean abstraction in the core and all of the messy cross-structure stuff can happen in scripts. > Any help on this is much appreciated; especially if you think I am > overlooking a hidden can of worms somewhere ;-) >From what you've described here and in our off-list emails, I think you're on >the right track. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ _______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
