:tocdepth: 3

base/protocols/ntlm/main.bro
============================
.. bro:namespace:: NTLM


:Namespace: NTLM
:Imports: :doc:`base/frameworks/dpd </scripts/base/frameworks/dpd/index>`, :doc:`base/protocols/smb </scripts/base/protocols/smb/index>`
:Source File: :download:`/scripts/base/protocols/ntlm/main.bro`

Summary
~~~~~~~
Options
#######
========================================================================= =============================================================
:bro:id:`NTLM::auth_failure_statuses`: :bro:type:`set` :bro:attr:`&redef` DOS and NT status codes that indicate authentication failure.
========================================================================= =============================================================

Types
#####
========================================== =
:bro:type:`NTLM::Info`: :bro:type:`record` 
========================================== =

Redefinitions
#############
==================================================================== =
:bro:id:`DPD::ignore_violations`: :bro:type:`set` :bro:attr:`&redef` 
:bro:type:`Log::ID`: :bro:type:`enum`                                
:bro:type:`connection`: :bro:type:`record`                           
==================================================================== =


Detailed Interface
~~~~~~~~~~~~~~~~~~
Options
#######
.. bro:id:: NTLM::auth_failure_statuses

   :Type: :bro:type:`set` [:bro:type:`count`]
   :Attributes: :bro:attr:`&redef`
   :Default:

   ::

      {
         3221225581,
         86900737,
         3221225584,
         3221225585,
         3221225583,
         3221225569,
         146866178,
         3221225586,
         146800642,
         146931714,
         3221225506,
         3221225578
      }

   DOS and NT status codes that indicate authentication failure.

Types
#####
.. bro:type:: NTLM::Info

   :Type: :bro:type:`record`

      ts: :bro:type:`time` :bro:attr:`&log`
         Timestamp for when the event happened.

      uid: :bro:type:`string` :bro:attr:`&log`
         Unique ID for the connection.

      id: :bro:type:`conn_id` :bro:attr:`&log`
         The connection's 4-tuple of endpoint addresses/ports.

      username: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
         Username given by the client.

      hostname: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
         Hostname given by the client.

      domainname: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
         Domainname given by the client.

      success: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&optional`
         Indicate whether or not the authentication was successful.

      status: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
         A string representation of the status code that was 
         returned in response to the authentication attempt.

      done: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
         Internally used field to indicate if the login attempt 
         has already been logged.



