Capture the data that are sent to the registration frame

Good afternoon, I am trying to capture the ntlm script data just before it is sent to the log frame.

In the known equipment script or services conidos in the rst file I have found an event that facilitates this action, but for the ntlm rst I have not found information about it.

So my question is the following:

Is it possible to get the just data before the registration frame acts or at the same time?

For example like this:

event NTLM::log(c: connection, info: NTLM::Info)
{
# Capture the information from the NTLM log
print fmt(“NTLM log captured: %s”, info);
}

If this is not possible, the only option I see to capture this data in my custom script is to define the events by which the ntlm script captures the information, but this option does not seem effective to me because in case you update the ntlm script someday, I will also have to modify the part of my code.

Thank you very much in advance.

You should be able to do this using the NTLM::log_policy hook.

Could you explain me how to use it?

I understand that it is not like a container in which you have to define the parameters it receives.

I have tried to simply capture it in a variable and then display it but it doesn’t work:

@load policy/tuning
@load base/protocols/ntlm
global result = NTLM::log_policy;
print (result);

Thanks!

The use of log policy hooks is documented at Logging Framework — Book of Zeek (git/master).

Perfect, I have used this method:

hook NTLM::log_policy(rec: NTLM::Info, id: Log::ID, filter: Log::Filter)**
{
#Let’s only log complete information:
print(rec);
}

It’s the right one isn’t it?

Looks right to me (but this is a feature I haven’t used much so I could be missing something).