Merge branch 'gssapi-krb-fix' of https://github.com/jrolli/bro into jrolli-gssapi-krb-fix

2025-10-10 10:38:20 +00:00 · 2018-04-02 22:28:11 -04:00 · 2018-04-02 22:28:11 -04:00 · 5b07bbe0a5
commit 5b07bbe0a5
parent 95fbe150df 39a773c9ef
5 changed files with 75 additions and 25 deletions
--- a/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
+++ b/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
@ -28,31 +28,61 @@ refine connection GSSAPI_Conn += {
 	function forward_blob(val: GSSAPI_NEG_TOKEN_MECH_TOKEN, is_orig: bool): bool
 		%{
-		if ( ${val.mech_token}.length() >= 7 &&
+        if ( ${val.token}.length() >= 7 &&
-		     memcmp("NTLMSSP", ${val.mech_token}.begin(), 7) == 0 )
+             memcmp("NTLMSSP", ${val.token}.begin(), 7) == 0 )
-			{
+            {
-			// ntlmssp
+            // ntlmssp
-			if ( ! ntlm )
+            if ( ! ntlm )
-				ntlm = analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn());
+                ntlm = analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn());
-			if ( ntlm )
+            if ( ntlm )
-				ntlm->DeliverStream(${val.mech_token}.length(), ${val.mech_token}.begin(), is_orig);
+                ntlm->DeliverStream(${val.token}.length(),
-			}
+                                    ${val.token}.begin(), is_orig);
-		else if ( ${val.mech_token}.length() == 9 &&
+            }
 		          (memcmp("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02", ${val.mech_token}.begin(), ${val.mech_token}.length()) == 0 ||
 		           memcmp("\x2a\x86\x48\x82\xf7\x12\x01\x02\x02", ${val.mech_token}.begin(), ${val.mech_token}.length()) == 0 ) )
 			{
 			// krb5 && ms-krb5
 			if ( ! krb5 )
 				krb5 = analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn());
 			// 0x0100 is a special marker
 			if ( krb5 && memcmp("\x01\x00", ${val.mech_token}.begin(), 2) == 0 )
 				{
 				krb5->DeliverPacket(${val.mech_token}.length()-2, ${val.mech_token}.begin()+2, is_orig, 0, 0, 0);
 				}
 			}
        else if ( 0x60 == *(${val.token}.begin()) )
            {
            // probably KRB
            const unsigned char *p = ${val.token}.begin();
            int len_to_send = ${val.token}.length();
            p++;
            len_to_send--;
            int shift = 1;
            if ( ((*p) & 0x80) > 0 )
                {
                    shift += (*p) & 0x7f;
                }
            p += shift;  // eating an ASN.1 meta
            len_to_send -= shift;
            // should now be pointing at OID
            if ( (*p) == 0x06 )
                {
                    p++;
                    len_to_send--;
                    len_to_send -= (*p) + 1;
                    p += (*p) + 1;  // eating the OID.  assuming short form on
                                    // OID len
                    // should now be pointing at the type of KRB
                    // 0x0100 or 0x0200
                    // krb5 && ms-krb5
                    if ( ! krb5 )
                        krb5 = analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn());
                    if ( krb5 ) // accepting all KRB types (REQ, REP, etc)
                        {
                        krb5->DeliverPacket(len_to_send-2,
                                            p+2, 
                                            is_orig, 0, 0, 0);
                        }
                }
            } 
 		return true;
 		%}
--- a/src/analyzer/protocol/gssapi/gssapi-protocol.pac
+++ b/src/analyzer/protocol/gssapi/gssapi-protocol.pac
@ -50,7 +50,6 @@ type GSSAPI_NEG_TOKEN_RESP_Arg = record {
 };
 type GSSAPI_NEG_TOKEN_MECH_TOKEN(is_orig: bool) = record {
-	meta       : ASN1EncodingMeta;
+	meta    : ASN1EncodingMeta;
-	mech_token : bytestring &length=meta.length;
+	token   : bytestring &length=meta.length;
 };
--- a/testing/btest/Baseline/scripts.base.protocols.krb.smb_gssapi/kerberos.log
+++ b/testing/btest/Baseline/scripts.base.protocols.krb.smb_gssapi/kerberos.log
@ -0,0 +1,10 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	kerberos
 #open	2017-09-17-21-25-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	request_type	client	service	success	error_msg	from	till	cipher	forwardable	renewable	client_cert_subject	client_cert_fuid	server_cert_subject	server_cert_fuid
 #types	time	string	addr	port	addr	port	string	string	string	bool	string	time	time	string	bool	bool	string	string	string	string
 1165958411.822000	CHhAvVGS1DHFjwGM9	10.24.64.228	1227	10.24.8.44	445	-	-	-	-	-	-	-	-	-	-	-	-	-	-
 #close	2017-09-17-21-25-06
--- a/testing/btest/Traces/krb/smb_gssapi.trace
+++ b/testing/btest/Traces/krb/smb_gssapi.trace
--- a/testing/btest/scripts/base/protocols/krb/smb_gssapi.test
+++ b/testing/btest/scripts/base/protocols/krb/smb_gssapi.test
@ -0,0 +1,11 @@
 # This test verifies that GSSAPI is correctly passing events to
 #   the Kerberos analyzer.  The specific trace example is a
 #   SMB authentication event and therfore relies on the SMB
 #   analyzer as well.
 # @TEST-EXEC: bro -b -C -r $TRACES/krb/smb_gssapi.trace %INPUT
 # @TEST-EXEC: btest-diff kerberos.log
 # @TEST-EXEC: btest-diff-rst scripts.base.protocols.krb
@load base/protocols/krb
@load policy/protocols/smb