Access mask constant 0x01000000 (SYSTEM_SECURITY_ACCESS) is in SACL ACE
list for auditing or alarming access to SACL itself.
---
epan/dissectors/packet-windows-common.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/epan/dissectors/packet-windows-common.c b/epan/dissectors/packet-windows-common.c
index 5709c6e7c31b..056579b027a4 100644
--- a/epan/dissectors/packet-windows-common.c
+++ b/epan/dissectors/packet-windows-common.c
@@ -2203,6 +2203,7 @@ static int hf_access_generic_read;
static int hf_access_generic_write;
static int hf_access_generic_execute;
static int hf_access_generic_all;
+static int hf_access_system_security;
static int hf_access_standard_delete;
static int hf_access_standard_read_control;
static int hf_access_standard_synchronise;
@@ -2285,6 +2286,7 @@ dissect_nt_access_mask(tvbuff_t *tvb, int offset, packet_info *pinfo,
&hf_access_generic_execute,
&hf_access_generic_all,
&hf_access_maximum_allowed,
+ &hf_access_system_security,
NULL
};
@@ -3361,6 +3363,11 @@ proto_do_register_windows_common(int proto_smb)
FT_BOOLEAN, 32, TFS(&tfs_set_notset),
MAXIMUM_ALLOWED_ACCESS, NULL, HFILL }},
+ { &hf_access_system_security,
+ { "System security", "nt.access_mask.system_security",
+ FT_BOOLEAN, 32, TFS(&tfs_set_notset),
+ SYSTEM_SECURITY_ACCESS, NULL, HFILL }},
+
{ &hf_access_standard_read_control,
{ "Read control", "nt.access_mask.read_control",
FT_BOOLEAN, 32, TFS(&tfs_set_notset),
--
2.20.1