Improve Kerberos DPD and fix a few parse errors.

scripts/base/protocols/krb/dpd.sig

@@ -1,7 +1,26 @@
-signature dpd_krb_udp {
+# This is the ASN.1 encoded version and message type headers
+
+signature dpd_krb_udp_requests {
 	ip-proto == udp
-	payload /\x6c...\x30...\xa1\x03\x02\x05/
+	payload /(\x6a|\x6c).{1,4}\x30.{1,4}\xa1\x03\x02\x01\x05\xa2\x03\x02\x01/
 	enable "krb"
 }
 
+signature dpd_krb_udp_replies {
+	ip-proto == udp
+	payload /(\x6b|\x6d|\x7e).{1,4}\x30.{1,4}\xa0\x03\x02\x01\x05\xa1\x03\x02\x01/
+	enable "krb"
+}
+
+signature dpd_krb_tcp_requests {
+	ip-proto == tcp
+	payload /.{4}(\x6a|\x6c).{1,4}\x30.{1,4}\xa1\x03\x02\x01\x05\xa2\x03\x02\x01/
+	enable "krb_tcp"
+}
+
+signature dpd_krb_tcp_replies {
+	ip-proto == tcp
+	payload /.{4}(\x6b|\x6d|\x7e).{1,4}\x30.{1,4}\xa0\x03\x02\x01\x05\xa1\x03\x02\x01/
+	enable "krb_tcp"
+}
 

scripts/base/protocols/krb/main.bro

@@ -77,8 +77,8 @@ const tcp_ports = { 88/tcp, 750/tcp };
 event bro_init() &priority=5
 	{
 	Log::create_stream(KRB::LOG, [$columns=Info, $ev=log_krb]);
-	Analyzer::register_for_ports(Analyzer::ANALYZER_KRB, udp_ports);
-	Analyzer::register_for_ports(Analyzer::ANALYZER_KRB_TCP, tcp_ports);
+#	Analyzer::register_for_ports(Analyzer::ANALYZER_KRB, udp_ports);
+#	Analyzer::register_for_ports(Analyzer::ANALYZER_KRB_TCP, tcp_ports);
 	}
 
 event krb_error(c: connection, msg: Error_Msg) &priority=5
@@ -114,7 +114,7 @@ event krb_error(c: connection, msg: Error_Msg) &priority=5
 	info$result = "failed";
 
 	info$error_code = msg$error_code;
-	
+
 	if ( msg?$error_text )
 		info$error_msg = msg$error_text;
 	else
@@ -128,8 +128,11 @@ event krb_error(c: connection, msg: Error_Msg) &priority=5
 
 event krb_error(c: connection, msg: Error_Msg) &priority=-5
 	{
-	Log::write(KRB::LOG, c$krb);
-	c$krb$logged = T;
+	if ( c?$krb )
+		{
+		Log::write(KRB::LOG, c$krb);
+		c$krb$logged = T;
+		}
 	}
 
 event krb_as_req(c: connection, msg: KDC_Request) &priority=5