Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Improve Kerberos DPD and fix a few parse errors.

Browse source
This commit is contained in:
Vlad Grigorescu 2015-01-23 17:22:10 -05:00
parent b8376ca733
commit 1f41c0470c
4 changed files with 88 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

23
scripts/base/protocols/krb/dpd.sig
View file

@ -1,7 +1,26 @@
signature dpd_krb_udp { # This is the ASN.1 encoded version and message type headers
signature dpd_krb_udp_requests {
ip-proto == udp ip-proto == udp
payload /\x6c...\x30...\xa1\x03\x02\x05/ payload /(\x6a|\x6c).{1,4}\x30.{1,4}\xa1\x03\x02\x01\x05\xa2\x03\x02\x01/
enable "krb" enable "krb"
} }
signature dpd_krb_udp_replies {
ip-proto == udp
payload /(\x6b|\x6d|\x7e).{1,4}\x30.{1,4}\xa0\x03\x02\x01\x05\xa1\x03\x02\x01/
enable "krb"
}
signature dpd_krb_tcp_requests {
ip-proto == tcp
payload /.{4}(\x6a|\x6c).{1,4}\x30.{1,4}\xa1\x03\x02\x01\x05\xa2\x03\x02\x01/
enable "krb_tcp"
}
signature dpd_krb_tcp_replies {
ip-proto == tcp
payload /.{4}(\x6b|\x6d|\x7e).{1,4}\x30.{1,4}\xa0\x03\x02\x01\x05\xa1\x03\x02\x01/
enable "krb_tcp"
}

11
scripts/base/protocols/krb/main.bro
View file

@ -77,8 +77,8 @@ const tcp_ports = { 88/tcp, 750/tcp };
event bro_init() &priority=5 event bro_init() &priority=5
{ {
Log::create_stream(KRB::LOG, [$columns=Info, $ev=log_krb]); Log::create_stream(KRB::LOG, [$columns=Info, $ev=log_krb]);
Analyzer::register_for_ports(Analyzer::ANALYZER_KRB, udp_ports); # Analyzer::register_for_ports(Analyzer::ANALYZER_KRB, udp_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_KRB_TCP, tcp_ports); # Analyzer::register_for_ports(Analyzer::ANALYZER_KRB_TCP, tcp_ports);
} }
event krb_error(c: connection, msg: Error_Msg) &priority=5 event krb_error(c: connection, msg: Error_Msg) &priority=5
@ -128,8 +128,11 @@ event krb_error(c: connection, msg: Error_Msg) &priority=5
event krb_error(c: connection, msg: Error_Msg) &priority=-5 event krb_error(c: connection, msg: Error_Msg) &priority=-5
{ {
Log::write(KRB::LOG, c$krb); if ( c?$krb )
c$krb$logged = T; {
Log::write(KRB::LOG, c$krb);
c$krb$logged = T;
}
} }
event krb_as_req(c: connection, msg: KDC_Request) &priority=5 event krb_as_req(c: connection, msg: KDC_Request) &priority=5

66
src/analyzer/protocol/krb/krb-analyzer.pac
View file

@ -432,40 +432,40 @@ refine connection KRB_Conn += {
rv->Assign(9, bytestring_to_val(${msg.args[i].args.e_text.encoding.content})); rv->Assign(9, bytestring_to_val(${msg.args[i].args.e_text.encoding.content}));
break; break;
case 12: case 12:
if ( ${msg.error_code.data.content}[0] == 25 ) // if ( ${msg.error_code.data.content}[0] == 25 )
{ // {
VectorVal* padata = new VectorVal(internal_type("KRB::Type_Value_Vector")->AsVectorType()); // VectorVal* padata = new VectorVal(internal_type("KRB::Type_Value_Vector")->AsVectorType());
for ( uint j = 0; j < ${msg.args[i].args.e_data.padata.padata_elems}->size(); ++j) // for ( uint j = 0; j < ${msg.args[i].args.e_data.padata.padata_elems}->size(); ++j)
{ // {
switch( ${msg.args[i].args.e_data.padata.padata_elems[j].data_type} ) // switch( ${msg.args[i].args.e_data.padata.padata_elems[j].data_type} )
{ // {
case 1: // case 1:
// will be generated as separate event // // will be generated as separate event
break; // break;
case 3: // case 3:
{ // {
RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value); // RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value);
type_val->Assign(0, new Val(${msg.args[i].args.e_data.padata.padata_elems[j].data_type}, TYPE_COUNT)); // type_val->Assign(0, new Val(${msg.args[i].args.e_data.padata.padata_elems[j].data_type}, TYPE_COUNT));
type_val->Assign(1, bytestring_to_val(${msg.args[i].args.e_data.padata.padata_elems[j].pa_data_element.pa_pw_salt.encoding.content})); // type_val->Assign(1, bytestring_to_val(${msg.args[i].args.e_data.padata.padata_elems[j].pa_data_element.pa_pw_salt.encoding.content}));
padata->Assign(padata->Size(), type_val); // padata->Assign(padata->Size(), type_val);
break; // break;
} // }
default: // default:
{ // {
if ( ${msg.args[i].args.e_data.padata.padata_elems[j].pa_data_element.unknown}.length() ) // if ( ${msg.args[i].args.e_data.padata.padata_elems[j].pa_data_element.unknown}.length() )
{ // {
RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value); // RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value);
type_val->Assign(0, new Val(${msg.args[i].args.e_data.padata.padata_elems[j].data_type}, TYPE_COUNT)); // type_val->Assign(0, new Val(${msg.args[i].args.e_data.padata.padata_elems[j].data_type}, TYPE_COUNT));
type_val->Assign(1, bytestring_to_val(${msg.args[i].args.e_data.padata.padata_elems[j].pa_data_element.unknown})); // type_val->Assign(1, bytestring_to_val(${msg.args[i].args.e_data.padata.padata_elems[j].pa_data_element.unknown}));
padata->Assign(padata->Size(), type_val); // padata->Assign(padata->Size(), type_val);
} // }
break; // break;
} // }
} // }
} // }
rv->Assign(10, padata); // rv->Assign(10, padata);
} // }
break; break;
default: default:
break; break;

47
src/analyzer/protocol/krb/krb-protocol.pac
View file

@ -36,30 +36,30 @@ type KRB_PDU = record {
} &byteorder=bigendian; } &byteorder=bigendian;
type KRB_AS_REQ = record { type KRB_AS_REQ = record {
data: KRB_KDC_REQ; data: KRB_KDC_REQ(AS_REQ);
}; };
type KRB_TGS_REQ = record { type KRB_TGS_REQ = record {
data: KRB_KDC_REQ; data: KRB_KDC_REQ(TGS_REQ);
}; };
type KRB_AS_REP = record { type KRB_AS_REP = record {
data: KRB_KDC_REP; data: KRB_KDC_REP(AS_REP);
}; };
type KRB_TGS_REP = record { type KRB_TGS_REP = record {
data: KRB_KDC_REP; data: KRB_KDC_REP(TGS_REP);
}; };
### KDC_REQ ### KDC_REQ
type KRB_KDC_REQ = record { type KRB_KDC_REQ(pkt_type: uint8) = record {
seq_meta : ASN1EncodingMeta; seq_meta : ASN1EncodingMeta;
pvno : SequenceElement(true); pvno : SequenceElement(true);
msg_type : SequenceElement(true); msg_type : SequenceElement(true);
padata_meta: ASN1EncodingMeta; padata_meta: ASN1EncodingMeta;
tmp1 : case has_padata of { tmp1 : case has_padata of {
true -> padata : KRB_PA_Data_Sequence &length=padata_meta.length; true -> padata : KRB_PA_Data_Sequence(pkt_type) &length=padata_meta.length;
false -> n1 : empty; false -> n1 : empty;
}; };
tmp2 : case has_padata of { tmp2 : case has_padata of {
@ -72,16 +72,19 @@ type KRB_KDC_REQ = record {
body_length: uint64 = has_padata ? meta2.length : padata_meta.length; body_length: uint64 = has_padata ? meta2.length : padata_meta.length;
}; };
type KRB_PA_Data_Sequence = record { type KRB_PA_Data_Sequence(pkt_type: uint8) = record {
seq_meta : ASN1EncodingMeta; seq_meta : ASN1EncodingMeta;
padata_elems: KRB_PA_Data[]; padata_elems: KRB_PA_Data(pkt_type)[];
}; };
type KRB_PA_Data = record { type KRB_PA_Data(pkttype: uint8) = record {
seq_meta : ASN1EncodingMeta; seq_meta : ASN1EncodingMeta;
pa_data_type : SequenceElement(true); pa_data_type : SequenceElement(true);
pa_data_elem_meta : ASN1EncodingMeta; pa_data_elem_meta : ASN1EncodingMeta;
pa_data_element : KRB_PA_Data_Element(data_type, pa_data_elem_meta.length); have_data : case ( pkttype == 30 ) of {
true -> pa_data_placeholder: bytestring &length=pa_data_elem_meta.length;
false -> pa_data_element : KRB_PA_Data_Element(binary_to_int64(pa_data_type.data.content), pa_data_elem_meta.length);
};
} &let { } &let {
data_type: int64 = binary_to_int64(pa_data_type.data.content); data_type: int64 = binary_to_int64(pa_data_type.data.content);
}; };
@ -275,13 +278,13 @@ type KRB_Encrypted_Data = record {
### KDC_REP ### KDC_REP
type KRB_KDC_REP = record { type KRB_KDC_REP(pkt_type: uint8) = record {
seq_meta : ASN1EncodingMeta; seq_meta : ASN1EncodingMeta;
pvno : SequenceElement(true); pvno : SequenceElement(true);
msg_type : SequenceElement(true); msg_type : SequenceElement(true);
padata_meta : ASN1EncodingMeta; padata_meta : ASN1EncodingMeta;
tmp1 : case has_padata of { tmp1 : case has_padata of {
true -> padata : KRB_PA_Data_Sequence &length=padata_meta.length; true -> padata : KRB_PA_Data_Sequence(pkt_type) &length=padata_meta.length;
false -> n1 : empty; false -> n1 : empty;
}; };
tmp2 : case has_padata of { tmp2 : case has_padata of {
@ -387,17 +390,19 @@ type KRB_ERROR_Arg_Data(index: uint8, error_code: uint64) = case index of {
9 -> realm : ASN1OctetString; 9 -> realm : ASN1OctetString;
10 -> sname : KRB_Principal_Name; 10 -> sname : KRB_Principal_Name;
11 -> e_text : ASN1OctetString; 11 -> e_text : ASN1OctetString;
12 -> e_data : KRB_ERROR_PA_Data(error_code); 12 -> e_data : KRB_ERROR_E_Data(error_code);
}; };
type KRB_ERROR_PA_Data(error_code: uint64) = record { type KRB_ERROR_E_Data(error_code: uint64) = case ( error_code == 25 ) of {
have_padata1: case ( error_code == 25 ) of { true -> padata : KRB_ERROR_PA_Data;
true -> meta1 : ASN1EncodingMeta; false -> unknown : bytestring &restofdata;
false -> data : ASN1OctetString; };
};
have_padata2: case ( error_code == 25 ) of { type KRB_ERROR_PA_Data = record {
true -> padata : KRB_PA_Data_Sequence; meta : ASN1EncodingMeta;
false -> n1 : empty; have_padata : case ( meta.tag == 30 ) of {
true -> padata : KRB_PA_Data_Sequence(KRB_ERROR);
false -> unknown : bytestring &restofdata;
}; };
}; };