diff --git a/scripts/base/protocols/krb/files.bro b/scripts/base/protocols/krb/files.bro index 3d14ce1281..807b503d72 100644 --- a/scripts/base/protocols/krb/files.bro +++ b/scripts/base/protocols/krb/files.bro @@ -10,14 +10,14 @@ export { # Client certificate client_cert: Files::Info &optional; # Subject of client certificate, if any - client_cert_subject:string &log &optional; + client_cert_subject: string &log &optional; # File unique ID of client cert, if any client_cert_fuid: string &log &optional; # Server certificate server_cert: Files::Info &optional; # Subject of server certificate, if any - server_cert_subject:string &log &optional; + server_cert_subject: string &log &optional; # File unique ID of server cert, if any server_cert_fuid: string &log &optional; }; @@ -58,8 +58,8 @@ function describe_file(f: fa_file): string } return cat("Serial: ", f$info$x509$certificate$serial, " Subject: ", - f$info$x509$certificate$subject, " Issuer: ", - f$info$x509$certificate$issuer); + f$info$x509$certificate$subject, " Issuer: ", + f$info$x509$certificate$issuer); } event bro_init() &priority=5 @@ -103,7 +103,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori c$krb = info; Files::add_analyzer(f, Files::ANALYZER_X509); - # always calculate hashes. They are not necessary for base scripts + # Always calculate hashes. They are not necessary for base scripts # but very useful for identification, and required for policy scripts Files::add_analyzer(f, Files::ANALYZER_MD5); Files::add_analyzer(f, Files::ANALYZER_SHA1); diff --git a/scripts/base/protocols/krb/main.bro b/scripts/base/protocols/krb/main.bro index f052a6a322..c126db657e 100644 --- a/scripts/base/protocols/krb/main.bro +++ b/scripts/base/protocols/krb/main.bro @@ -58,7 +58,7 @@ export { # log NEEDED_PREAUTH. "NEEDED_PREAUTH", # This is a more specific version of NEEDED_PREAUTH that's used - # by Winodws AD Kerberos. + # by Windows AD Kerberos. "Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ", } &redef; @@ -82,8 +82,7 @@ event krb_error(c: connection, msg: Error_Msg) &priority=5 if ( msg?$error_text && msg$error_text in ignored_errors ) { - if ( c?$krb ) - delete c$krb; + if ( c?$krb ) delete c$krb; return; } @@ -100,23 +99,17 @@ event krb_error(c: connection, msg: Error_Msg) &priority=5 info$id = c$id; } - if ( ! info?$client ) - if ( msg?$client_name || msg?$client_realm ) - info$client = fmt("%s%s", msg?$client_name ? msg$client_name + "/" : "", - msg?$client_realm ? msg$client_realm : ""); + if ( ! info?$client && ( msg?$client_name || msg?$client_realm ) ) + info$client = fmt("%s%s", msg?$client_name ? msg$client_name + "/" : "", + msg?$client_realm ? msg$client_realm : ""); info$service = msg$service_name; info$result = "failed"; info$error_code = msg$error_code; - if ( msg?$error_text ) - info$error_msg = msg$error_text; - else - { - if ( msg$error_code in error_msg ) - info$error_msg = error_msg[msg$error_code]; - } + if ( msg?$error_text ) info$error_msg = msg$error_text; + else if ( msg$error_code in error_msg ) info$error_msg = error_msg[msg$error_code]; c$krb = info; } @@ -158,15 +151,13 @@ event krb_as_request(c: connection, msg: KDC_Request) &priority=5 { if ( msg$host_addrs[i]?$ip ) { - if ( ! info?$network_addrs ) - info$network_addrs = vector(); + if ( ! info?$network_addrs ) info$network_addrs = vector(); info$network_addrs[|info$network_addrs|] = msg$host_addrs[i]$ip; } if ( msg$host_addrs[i]?$netbios ) { - if ( ! info?$netbios_addrs ) - info$netbios_addrs = vector(); + if ( ! info?$netbios_addrs ) info$netbios_addrs = vector(); info$netbios_addrs[|info$netbios_addrs|] = msg$host_addrs[i]$netbios; } } @@ -191,8 +182,7 @@ event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5 info$uid = c$uid; info$id = c$id; info$service = msg$service_name; - if ( msg?$from ) - info$from = msg$from; + if ( msg?$from ) info$from = msg$from; info$till = msg$till; c$krb = info; @@ -205,7 +195,7 @@ event krb_as_response(c: connection, msg: KDC_Response) &priority=5 if ( c?$krb && c$krb$logged ) return; - if ( c?$krb ) + if ( c?$krb ) info = c$krb; if ( ! info?$ts ) @@ -226,7 +216,6 @@ event krb_as_response(c: connection, msg: KDC_Response) &priority=5 event krb_as_response(c: connection, msg: KDC_Response) &priority=-5 { - Log::write(KRB::LOG, c$krb); c$krb$logged = T; } diff --git a/src/analyzer/protocol/krb/events.bif b/src/analyzer/protocol/krb/events.bif index 88bdb17c0c..035961d9fb 100644 --- a/src/analyzer/protocol/krb/events.bif +++ b/src/analyzer/protocol/krb/events.bif @@ -157,4 +157,3 @@ event krb_cred%(c: connection, is_orig: bool, tickets: KRB::Ticket_Vector%); ## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response ## krb_ap_request krb_ap_response krb_priv krb_safe krb_cred event krb_error%(c: connection, msg: KRB::Error_Msg%); - diff --git a/src/analyzer/protocol/krb/krb-asn1.pac b/src/analyzer/protocol/krb/krb-asn1.pac index c74f0c5af9..13c5347be8 100644 --- a/src/analyzer/protocol/krb/krb-asn1.pac +++ b/src/analyzer/protocol/krb/krb-asn1.pac @@ -68,14 +68,14 @@ type ASN1Encoding = record { }; type ASN1EncodingMeta = record { - tag: uint8; - len: uint8; - more_len: bytestring &length = long_len ? (len & 0x7f) : 0; + tag : uint8; + len : uint8; + more_len: bytestring &length = long_len ? (len & 0x7f) : 0; } &let { - long_len: bool = (len & 0x80) > 0; - length: uint64 = long_len ? binary_to_int64(more_len) : len; - has_index: bool = (tag >= ASN1_INDEX_TAG_OFFSET); - index: uint8 = tag - ASN1_INDEX_TAG_OFFSET; + long_len : bool = (len & 0x80) > 0; + length : uint64 = long_len ? binary_to_int64(more_len) : len; + has_index : bool = (tag >= ASN1_INDEX_TAG_OFFSET); + index : uint8 = tag - ASN1_INDEX_TAG_OFFSET; }; type ASN1OptionalEncodingMeta(is_present: bool, previous_metadata: ASN1EncodingMeta) = case is_present of { @@ -94,19 +94,19 @@ type ASN1OctetString = record { }; type SequenceElement(grab_content: bool) = record { - index_meta: ASN1EncodingMeta; - have_content: case grab_content of { + index_meta : ASN1EncodingMeta; + have_content : case grab_content of { true -> data: ASN1Encoding; - false -> meta: ASN1EncodingMeta; + false -> meta: ASN1EncodingMeta; }; } &let { - index: uint8 = index_meta.index; - length: uint64 = index_meta.length; + index : uint8 = index_meta.index; + length : uint64 = index_meta.length; }; type Array = record { - array_meta: ASN1EncodingMeta; - data: ASN1Encoding[]; + array_meta : ASN1EncodingMeta; + data : ASN1Encoding[]; }; function binary_to_int64(bs: bytestring): int64 diff --git a/src/analyzer/protocol/krb/krb-defs.pac b/src/analyzer/protocol/krb/krb-defs.pac index e7e0f78159..e3b0a3ea70 100644 --- a/src/analyzer/protocol/krb/krb-defs.pac +++ b/src/analyzer/protocol/krb/krb-defs.pac @@ -14,11 +14,11 @@ enum KRBMessageTypes { # Defined by IANA in Kerberos Parameters - Pre-authentication and Typed Data enum KRBPADataTypes { - PA_TGS_REQ = 1, - PA_ENC_TIMESTAMP = 2, - PA_PW_SALT = 3, - PA_PW_AS_REQ = 16, - PA_PW_AS_REP = 17, + PA_TGS_REQ = 1, + PA_ENC_TIMESTAMP = 2, + PA_PW_SALT = 3, + PA_PW_AS_REQ = 16, + PA_PW_AS_REP = 17, }; # Defined in RFC 4120 diff --git a/src/analyzer/protocol/krb/krb-padata.pac b/src/analyzer/protocol/krb/krb-padata.pac index d3b66b2244..61947398cc 100644 --- a/src/analyzer/protocol/krb/krb-padata.pac +++ b/src/analyzer/protocol/krb/krb-padata.pac @@ -127,14 +127,14 @@ type KRB_PA_Data_Optional(is_orig: bool, pkt_type: uint8, desired_index: uint8) # # Note: Split off due to a BinPAC bug type KRB_PA_Data_Optional_Contents(is_orig: bool, is_present: bool, pkt_type: uint8, length: uint64) = case is_present of { - true -> padata: KRB_PA_Data_Sequence(is_orig, pkt_type) &length=length; - false -> none: empty; + true -> padata : KRB_PA_Data_Sequence(is_orig, pkt_type) &length=length; + false -> none : empty; }; # This is our main type type KRB_PA_Data_Sequence(is_orig: bool, pkt_type: uint8) = record { - meta : ASN1EncodingMeta; - data : KRB_PA_Data_Container(is_orig, pkt_type, meta.tag, meta.length); + meta : ASN1EncodingMeta; + data : KRB_PA_Data_Container(is_orig, pkt_type, meta.tag, meta.length); }; # The data in KRB_PA_Data_Sequence is usually (and supposed to be) a sequence, which we'll parse, diff --git a/src/analyzer/protocol/krb/krb-protocol.pac b/src/analyzer/protocol/krb/krb-protocol.pac index 8bf779c7e1..6f3dfc2117 100644 --- a/src/analyzer/protocol/krb/krb-protocol.pac +++ b/src/analyzer/protocol/krb/krb-protocol.pac @@ -75,15 +75,15 @@ type KRB_REQ_Arg_Data(index: uint8) = case index of { 7 -> nonce : ASN1Integer; 8 -> etype : Array; 9 -> addrs : KRB_Host_Addresses; - 10 -> auth_data : ASN1OctetString; # TODO + 10 -> auth_data : ASN1OctetString; 11 -> addl_tkts : KRB_Ticket_Sequence; default -> unknown : bytestring &restofdata; }; type KRB_KDC_Options = record { - meta : ASN1EncodingMeta; - pad: uint8; - flags: uint32; + meta : ASN1EncodingMeta; + pad : uint8; + flags : uint32; } &let { reserved : bool = (flags & 0x80000000) > 0; forwardable : bool = (flags & 0x40000000) > 0; @@ -168,8 +168,8 @@ type KRB_ERROR_Arg(is_orig: bool, error_code: int64) = record { seq_meta: ASN1EncodingMeta; args : KRB_ERROR_Arg_Data(is_orig, seq_meta.index, error_code) &length=arg_length; } &let { - process_in_parent: bool = seq_meta.index == 6; - arg_length : uint64 = ( process_in_parent ? 0 : seq_meta.length); + process_in_parent : bool = seq_meta.index == 6; + arg_length : uint64 = ( process_in_parent ? 0 : seq_meta.length); }; type KRB_ERROR_Arg_Data(is_orig: bool, index: uint8, error_code: int64) = case index of { @@ -189,8 +189,8 @@ type KRB_ERROR_Arg_Data(is_orig: bool, index: uint8, error_code: int64) = case i }; type KRB_ERROR_E_Data(is_orig: bool, error_code: uint64) = case ( error_code == KDC_ERR_PREAUTH_REQUIRED ) of { - true -> padata : KRB_PA_Data_Sequence(is_orig, KRB_ERROR); - false -> unknown : bytestring &restofdata; + true -> padata : KRB_PA_Data_Sequence(is_orig, KRB_ERROR); + false -> unknown : bytestring &restofdata; }; ### KRB_SAFE