Merge remote-tracking branch 'origin/master' into topic/johanna/ocsp-new

2025-10-02 14:48:21 +00:00 · 2017-03-16 12:28:08 -07:00 · 2017-03-16 12:28:08 -07:00 · 7aa219758c
commit 7aa219758c
parent 5604f46dd3 6544e36564
99 changed files with 2110 additions and 795 deletions
--- a/scripts/policy/protocols/krb/ticket-logging.bro
+++ b/scripts/policy/protocols/krb/ticket-logging.bro
@ -0,0 +1,33 @@
+##! Add Kerberos ticket hashes to the krb.log
+
+@load base/protocols/krb
+
+module KRB;
+
+redef record Info += {
+	## Hash of ticket used to authorize request/transaction
+	auth_ticket: string &log &optional;
+	## Hash of ticket returned by the KDC
+	new_ticket:  string &log &optional;
+};
+
+event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options)
+	{
+	# Will be overwritten when request is a TGS
+	c$krb$request_type = "AP";
+
+	if ( ticket?$ciphertext )
+		c$krb$auth_ticket = md5_hash(ticket$ciphertext);
+	}
+
+event krb_as_response(c: connection, msg: KDC_Response)
+	{
+	if ( msg$ticket?$ciphertext )
+		c$krb$new_ticket = md5_hash(msg$ticket$ciphertext);
+	}
+
+event krb_tgs_response(c: connection, msg: KDC_Response)
+	{
+	if ( msg$ticket?$ciphertext )
+		c$krb$new_ticket = md5_hash(msg$ticket$ciphertext);
+	}