Mohan Dhawan
Mohan Dhawan
In the case of `ncacn_ip_tcp`, the `sec_addr` field in the DCE/RPC `bind_ack` PDU (https://pubs.opengroup.org/onlinepubs/9629399/chap12.htm#tagcjh_17_06_04_04) contains a TCP port number, not a named pipe. Mapping this value into a field named...
Yes, phasing out `named_pipe` would be better in my view. But it would be a breaking change in the schema.
> We could give Zeek a customizable table overriding the default mapping of analyzer tags to display names for logging purposes. This solution would be super helpful.
It all works fine. Thanks!
The solution only works reliably if a single SMB session is mapped to the TCP connection. Even then, a similar condition should ideally be checked for Kerberos as well. However,...
The patch you provided is a reasonable solution under the assumption that a single SMB session maps to a TCP connection. Moreover `c$ntlm$success` can be `F` depending on `negResult` from...