SMB Parsing and dialect

Phuong_Nguyen · November 9, 2006, 2:25am

Hi All,

It appears that the current SMB parser does not maintain result of NEGOTIAGE, mainly the dialect, for parsing dialect dependent request/response. Is this something that will get added in the future? or deemed unnecessary? Thanks

Phuong

Chris_Grier · November 9, 2006, 3:09am

Phuong Nguyen wrote:

Hi All,

It appears that the current SMB parser does not maintain result of NEGOTIAGE, mainly the dialect, for parsing dialect dependent request/response. Is this something that will get added in the future? or deemed unnecessary? Thanks

Phuong

There's an extended version of the SMB parser that maintains the results of many of the SMB packet types, which will probably be integrated in the future. It parses SMB packets in more detail and passes the results out to the policy, including things such as dialects in the SMB_NEGOTIATE packets and the responses.

Vern · November 9, 2006, 8:07am

There's an extended version of the SMB parser that maintains the results
of many of the SMB packet types, which will probably be integrated in
the future.

Yep - it will definitely be integrated, and is targeted as one of the main
additions for the upcoming 1.3 release.

Vern

Topic		Replies	Views
Bro patch Zeek	3	76	May 6, 2022
SMB Zeek	3	67	May 6, 2022
SMB2 - NTLM GSSAPI messages continued Development development	2	99	May 6, 2022
SMB Analyzer code factorization Development development	1	110	May 6, 2022
History or explaination of default analyzer handling of isPartial and hasGap Development development	2	86	May 6, 2022

SMB Parsing and dialect

Related Topics