diff --git a/scripts/base/protocols/krb/files.bro b/scripts/base/protocols/krb/files.bro index cd2127c605..a486a56290 100644 --- a/scripts/base/protocols/krb/files.bro +++ b/scripts/base/protocols/krb/files.bro @@ -78,30 +78,19 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori if ( f$source != "KRB_TCP" && f$source != "KRB" ) return; - local info: Info; - - if ( ! c?$krb ) - { - info$ts = network_time(); - info$uid = c$uid; - info$id = c$id; - } - else - info = c$krb; + set_session(c); if ( is_orig ) { - info$client_cert = f$info; - info$client_cert_fuid = f$id; + c$krb$client_cert = f$info; + c$krb$client_cert_fuid = f$id; } else { - info$server_cert = f$info; - info$server_cert_fuid = f$id; + c$krb$server_cert = f$info; + c$krb$server_cert_fuid = f$id; } - c$krb = info; - Files::add_analyzer(f, Files::ANALYZER_X509); # Always calculate hashes. They are not necessary for base scripts # but very useful for identification, and required for policy scripts @@ -111,7 +100,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori function fill_in_subjects(c: connection) { - if ( !c?$krb ) + if ( ! c?$krb ) return; if ( c$krb?$client_cert && c$krb$client_cert?$x509 && c$krb$client_cert$x509?$certificate ) diff --git a/scripts/base/protocols/krb/main.bro b/scripts/base/protocols/krb/main.bro index fc6abc5bff..02abced683 100644 --- a/scripts/base/protocols/krb/main.bro +++ b/scripts/base/protocols/krb/main.bro @@ -10,41 +10,41 @@ export { type Info: record { ## Timestamp for when the event happened. - ts: time &log; + ts: time &log; ## Unique ID for the connection. - uid: string &log; + uid: string &log; ## The connection's 4-tuple of endpoint addresses/ports. - id: conn_id &log; + id: conn_id &log; ## Request type - Authentication Service ("AS") or ## Ticket Granting Service ("TGS") - request_type: string &log &optional; + request_type: string &log &optional; ## Client - client: string &log &optional; + client: string &log &optional; ## Service - service: string &log; + service: string &log &optional; ## Request result - success: bool &log &optional; + success: bool &log &optional; ## Error code - error_code: count &optional; + error_code: count &optional; ## Error message - error_msg: string &log &optional; + error_msg: string &log &optional; ## Ticket valid from - from: time &log &optional; + from: time &log &optional; ## Ticket valid till - till: time &log &optional; + till: time &log &optional; ## Ticket encryption type - cipher: string &log &optional; + cipher: string &log &optional; ## Forwardable ticket requested - forwardable: bool &log &optional; + forwardable: bool &log &optional; ## Renewable ticket requested - renewable: bool &log &optional; + renewable: bool &log &optional; ## We've already logged this - logged: bool &default=F; + logged: bool &default=F; }; ## The server response error texts which are *not* logged. @@ -80,179 +80,140 @@ event bro_init() &priority=5 Log::create_stream(KRB::LOG, [$columns=Info, $ev=log_krb, $path="kerberos"]); } -event krb_error(c: connection, msg: Error_Msg) &priority=5 +function set_session(c: connection): bool { - local info: Info; - - if ( msg?$error_text && msg$error_text in ignored_errors ) + if ( ! c?$krb ) { - if ( c?$krb ) delete c$krb; - return; + c$krb = Info($ts = network_time(), + $uid = c$uid, + $id = c$id); } - - if ( c?$krb && c$krb$logged ) - return; - - if ( c?$krb ) - info = c$krb; - - if ( ! info?$ts ) - { - info$ts = network_time(); - info$uid = c$uid; - info$id = c$id; - } - - if ( ! info?$client && ( msg?$client_name || msg?$client_realm ) ) - info$client = fmt("%s%s", msg?$client_name ? msg$client_name + "/" : "", - msg?$client_realm ? msg$client_realm : ""); - - info$service = msg$service_name; - info$success = F; - - info$error_code = msg$error_code; - - if ( msg?$error_text ) info$error_msg = msg$error_text; - else if ( msg$error_code in error_msg ) info$error_msg = error_msg[msg$error_code]; - - c$krb = info; + + return c$krb$logged; } -event krb_error(c: connection, msg: Error_Msg) &priority=-5 +function do_log(c: connection) { - if ( c?$krb ) + if ( c?$krb && ! c$krb$logged ) { Log::write(KRB::LOG, c$krb); c$krb$logged = T; } } -event krb_as_request(c: connection, msg: KDC_Request) &priority=5 +event krb_error(c: connection, msg: Error_Msg) &priority=5 { - if ( c?$krb && c$krb$logged ) + if ( set_session(c) ) return; - local info: Info; - - if ( !c?$krb ) + if ( msg?$error_text && msg$error_text in ignored_errors ) { - info$ts = network_time(); - info$uid = c$uid; - info$id = c$id; + if ( c?$krb ) + delete c$krb; + + return; } - else - info = c$krb; - info$request_type = "AS"; - info$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg$service_realm); - info$service = msg$service_name; + if ( ! c$krb?$client && ( msg?$client_name || msg?$client_realm ) ) + c$krb$client = fmt("%s%s", msg?$client_name ? msg$client_name + "/" : "", + msg?$client_realm ? msg$client_realm : ""); - if ( msg?$from ) - info$from = msg$from; + c$krb$service = msg$service_name; + c$krb$success = F; + c$krb$error_code = msg$error_code; - info$till = msg$till; - - info$forwardable = msg$kdc_options$forwardable; - info$renewable = msg$kdc_options$renewable; - - c$krb = info; + if ( msg?$error_text ) + c$krb$error_msg = msg$error_text; + else if ( msg$error_code in error_msg ) + c$krb$error_msg = error_msg[msg$error_code]; } -event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5 +event krb_error(c: connection, msg: Error_Msg) &priority=-5 { - if ( c?$krb && c$krb$logged ) + do_log(c); + } + +event krb_as_request(c: connection, msg: KDC_Request) &priority=5 + { + if ( set_session(c) ) return; - local info: Info; + c$krb$request_type = "AS"; + c$krb$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg$service_realm); + c$krb$service = msg$service_name; - if ( !c?$krb ) - { - info$ts = network_time(); - info$uid = c$uid; - info$id = c$id; - } - else - info = c$krb; + if ( msg?$from ) + c$krb$from = msg$from; + c$krb$till = msg$till; - info$request_type = "TGS"; - info$service = msg$service_name; - if ( msg?$from ) info$from = msg$from; - info$till = msg$till; - - info$forwardable = msg$kdc_options$forwardable; - info$renewable = msg$kdc_options$renewable; - - c$krb = info; + c$krb$forwardable = msg$kdc_options$forwardable; + c$krb$renewable = msg$kdc_options$renewable; } event krb_as_response(c: connection, msg: KDC_Response) &priority=5 { - local info: Info; - - if ( c?$krb && c$krb$logged ) + if ( set_session(c) ) return; - if ( c?$krb ) - info = c$krb; - - if ( ! info?$ts ) + if ( ! c$krb?$client && ( msg?$client_name || msg?$client_realm ) ) { - info$ts = network_time(); - info$uid = c$uid; - info$id = c$id; + c$krb$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", + msg?$client_realm ? msg$client_realm : ""); } - if ( ! info?$client && ( msg?$client_name || msg?$client_realm ) ) - info$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg?$client_realm ? msg$client_realm : ""); - - info$service = msg$ticket$service_name; - info$cipher = cipher_name[msg$ticket$cipher]; - info$success = T; - - c$krb = info; + c$krb$service = msg$ticket$service_name; + c$krb$cipher = cipher_name[msg$ticket$cipher]; + c$krb$success = T; } event krb_as_response(c: connection, msg: KDC_Response) &priority=-5 { - Log::write(KRB::LOG, c$krb); - c$krb$logged = T; + do_log(c); + } + +event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options) &priority=5 + { + if ( set_session(c) ) + return; + } + +event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5 + { + if ( set_session(c) ) + return; + + c$krb$request_type = "TGS"; + c$krb$service = msg$service_name; + if ( msg?$from ) + c$krb$from = msg$from; + c$krb$till = msg$till; + + c$krb$forwardable = msg$kdc_options$forwardable; + c$krb$renewable = msg$kdc_options$renewable; } event krb_tgs_response(c: connection, msg: KDC_Response) &priority=5 { - local info: Info; - - if ( c?$krb && c$krb$logged ) + if ( set_session(c) ) return; - if ( c?$krb ) - info = c$krb; - - if ( ! info?$ts ) + if ( ! c$krb?$client && ( msg?$client_name || msg?$client_realm ) ) { - info$ts = network_time(); - info$uid = c$uid; - info$id = c$id; + c$krb$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", + msg?$client_realm ? msg$client_realm : ""); } - if ( ! info?$client && ( msg?$client_name || msg?$client_realm ) ) - info$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg?$client_realm ? msg$client_realm : ""); - - info$service = msg$ticket$service_name; - info$cipher = cipher_name[msg$ticket$cipher]; - info$success = T; - - c$krb = info; + c$krb$service = msg$ticket$service_name; + c$krb$cipher = cipher_name[msg$ticket$cipher]; + c$krb$success = T; } event krb_tgs_response(c: connection, msg: KDC_Response) &priority=-5 { - Log::write(KRB::LOG, c$krb); - c$krb$logged = T; + do_log(c); } event connection_state_remove(c: connection) &priority=-5 { - if ( c?$krb && ! c$krb$logged ) - Log::write(KRB::LOG, c$krb); + do_log(c); } diff --git a/scripts/policy/protocols/krb/ticket-logging.bro b/scripts/policy/protocols/krb/ticket-logging.bro index e254b6dc26..22fd3c810b 100644 --- a/scripts/policy/protocols/krb/ticket-logging.bro +++ b/scripts/policy/protocols/krb/ticket-logging.bro @@ -1,3 +1,7 @@ +##! Add Kerberos ticket hashes to the krb.log + +@load base/protocols/krb + module KRB; redef record Info += { @@ -9,25 +13,11 @@ redef record Info += { event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options) { - if ( c?$krb && c$krb$logged ) - return; - - local info: Info; + # Will be overwritten when request is a TGS + c$krb$request_type = "AP"; - if ( !c?$krb ) - { - info$ts = network_time(); - info$uid = c$uid; - info$id = c$id; - } - else - info = c$krb; - - info$request_type = "AP"; # Will be overwritten when request is a TGS if ( ticket?$ciphertext ) - info$auth_ticket = md5_hash(ticket$ciphertext); - - c$krb = info; + c$krb$auth_ticket = md5_hash(ticket$ciphertext); } event krb_as_response(c: connection, msg: KDC_Response) @@ -40,4 +30,4 @@ event krb_tgs_response(c: connection, msg: KDC_Response) { if ( msg$ticket?$ciphertext ) c$krb$new_ticket = md5_hash(msg$ticket$ciphertext); - } \ No newline at end of file + } diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index 8d1a9ff054..a022060cd4 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -72,6 +72,7 @@ @load protocols/http/software.bro @load protocols/http/var-extraction-cookies.bro @load protocols/http/var-extraction-uri.bro +@load protocols/krb/ticket-logging.bro @load protocols/modbus/known-masters-slaves.bro @load protocols/modbus/track-memmap.bro @load protocols/mysql/software.bro diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 9b22c34b71..c291302748 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -247,7 +247,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) -> @@ -377,7 +377,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -968,7 +968,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG)) @@ -1098,7 +1098,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1688,7 +1688,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1818,7 +1818,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2297,6 +2297,7 @@ 1362692527.080972 MetaHookPost CallFunction(Conn::determine_service, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> 1362692527.080972 MetaHookPost CallFunction(Conn::set_conn, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> 1362692527.080972 MetaHookPost CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> +1362692527.080972 MetaHookPost CallFunction(KRB::do_log, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> 1362692527.080972 MetaHookPost CallFunction(KRB::fill_in_subjects, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> 1362692527.080972 MetaHookPost CallFunction(Log::__write, , (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> 1362692527.080972 MetaHookPost CallFunction(Log::write, , (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> @@ -2327,6 +2328,7 @@ 1362692527.080972 MetaHookPre CallFunction(Conn::determine_service, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) 1362692527.080972 MetaHookPre CallFunction(Conn::set_conn, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) 1362692527.080972 MetaHookPre CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) +1362692527.080972 MetaHookPre CallFunction(KRB::do_log, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) 1362692527.080972 MetaHookPre CallFunction(KRB::fill_in_subjects, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) 1362692527.080972 MetaHookPre CallFunction(Log::__write, , (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) 1362692527.080972 MetaHookPre CallFunction(Log::write, , (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) @@ -2358,6 +2360,7 @@ 1362692527.080972 | HookCallFunction Conn::determine_service([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]) 1362692527.080972 | HookCallFunction Conn::set_conn([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) 1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) +1362692527.080972 | HookCallFunction KRB::do_log([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]) 1362692527.080972 | HookCallFunction KRB::fill_in_subjects([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]) 1362692527.080972 | HookCallFunction Log::__write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]) 1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]) diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output b/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output index 0bec7ee13c..cf6a7a0616 100644 --- a/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output +++ b/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output @@ -1,3 +1,3 @@ KRB_AP_REQUEST -[pvno=5, realm=VLADG.NET, service_name=krbtgt/VLADG.NET, cipher=18] +[pvno=5, realm=VLADG.NET, service_name=krbtgt/VLADG.NET, cipher=18, ciphertext=\x04\x81\xfa{\x9fY\xd0f\x8dS\xf4I\x88\x04\xfa\xc1\xd8m\xa2\xb7+\xbb\x19\xcag\x0c\x13\xd1g*\xfc\x18\xd1\xb1\x80!\xbd\x85\xec\xf9\x9b\xfa-\x18\xb6\xf5h\x91\xe7\x99\xf4\xdb\x93\xa0\xc7\x90\x1e\xa9\x95v\xd3\x12\xfa,9\x1d\x0b\xd0\xa1\xd25\x0f\x1f[G\xdf\xd0\xbbd\x06$2\xd1\xae\x130qZiY\x07@\xe9\xf9\xff\xa4\x9a\xd4\x09\xf0\x0d\xc1R\x10M\xbdKOV\xfd\xf6\x13\xf6\x9a\x95N\xdf!\xf6x\x94\xd8j\xa5\xdcp\xa8\x04\x99\x02x\xdb$\xd8\xfa_o\x8dV\xc8\x0a\xfe\x00\xf3&c\x0c8\xd1\xd0\xe9\x8e\xab\xfe&\xfe\x00\x8d$\x98I\xe5\x8d\x94rM4%\xd8\xfe\xa9\x08\x06\xc6\x95H7\xf7HCq\xb9\x0d$\x95?\x83B\x82\xdd\xea\xc3f3\xcc\xbb\x09\x0d-\x09;\xa6i%\xcd\xba\x11\xd4\xe0\x12w\xd0G&\xdaj\x82\x7f;\xf3\x1d\x10\xa4l\x06\x16l\x1bc\xa1\xd1\x15!\x00\x8a\xff\x8a\x06\xe7U^: