diff --git a/scripts/base/protocols/krb/main.bro b/scripts/base/protocols/krb/main.bro index 9fca2c896e..d855d6af55 100644 --- a/scripts/base/protocols/krb/main.bro +++ b/scripts/base/protocols/krb/main.bro @@ -9,21 +9,34 @@ export { type Info: record { ## Timestamp for when the event happened. - ts: time &log; + ts: time &log; ## Unique ID for the connection. - uid: string &log; + uid: string &log; ## The connection's 4-tuple of endpoint addresses/ports. - id: conn_id &log; + id: conn_id &log; + + ## Request type - Authentication Service ("AS") or + ## Ticket Granting Service ("TGS") + request_type: string &log &optional; ## Client client: string &log &optional; ## Service service: string &log; + + ## Request result + success: bool &log &optional; + ## Error code + error_code: count &optional; + ## Error message + error_msg: string &log &optional; + ## Ticket valid from from: time &log &optional; ## Ticket valid till till: time &log &optional; ## Ticket encryption type cipher: string &log &optional; + ## Forwardable ticket requested forwardable: bool &log &optional; ## Proxiable ticket requested @@ -32,6 +45,7 @@ export { postdated: bool &log &optional; ## Renewable ticket requested renewable: bool &log &optional; + ## The request is for a renewal renew_request: bool &log &optional; # The request is to validate a postdated ticket @@ -41,12 +55,6 @@ export { # NetBIOS addresses supplied by the client netbios_addrs: vector of string &log &optional; - ## Request result - success: bool &log &optional; - ## Error code - error_code: count &log &optional; - ## Error message - error_msg: string &log &optional; ## We've already logged this logged: bool &default=F; }; @@ -141,6 +149,7 @@ event krb_as_request(c: connection, msg: KDC_Request) &priority=5 else info = c$krb; + info$request_type = "AS"; info$client = fmt("%s/%s", msg$client_name, msg$service_realm); info$service = msg$service_name; @@ -166,11 +175,15 @@ event krb_as_request(c: connection, msg: KDC_Request) &priority=5 } info$till = msg$till; + info$forwardable = msg$kdc_options$forwardable; info$proxiable = msg$kdc_options$proxiable; info$postdated = msg$kdc_options$postdated; info$renewable = msg$kdc_options$renewable; - + + info$renew_request = msg$kdc_options$renew; + info$validate_request = msg$kdc_options$validate; + c$krb = info; } @@ -183,10 +196,19 @@ event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5 info$ts = network_time(); info$uid = c$uid; info$id = c$id; + info$request_type = "TGS"; info$service = msg$service_name; if ( msg?$from ) info$from = msg$from; info$till = msg$till; + info$forwardable = msg$kdc_options$forwardable; + info$proxiable = msg$kdc_options$proxiable; + info$postdated = msg$kdc_options$postdated; + info$renewable = msg$kdc_options$renewable; + + info$renew_request = msg$kdc_options$renew; + info$validate_request = msg$kdc_options$validate; + c$krb = info; } @@ -211,6 +233,7 @@ event krb_as_response(c: connection, msg: KDC_Response) &priority=5 info$client = fmt("%s/%s", msg$client_name, msg$client_realm); info$service = msg$ticket$service_name; + info$cipher = cipher_name[msg$ticket$cipher]; info$success = T; c$krb = info; diff --git a/src/analyzer/protocol/krb/events.bif b/src/analyzer/protocol/krb/events.bif index 035961d9fb..e6b438f2b0 100644 --- a/src/analyzer/protocol/krb/events.bif +++ b/src/analyzer/protocol/krb/events.bif @@ -15,7 +15,7 @@ ## krb_ap_response krb_priv krb_safe krb_cred krb_error event krb_as_request%(c: connection, msg: KRB::KDC_Request%); -## A Kerberos 5 ``Authentication Server (AS) Reply`` as defined +## A Kerberos 5 ``Authentication Server (AS) Response`` as defined ## in :rfc:`4120`. Following the AS request for a user, an AS reply ## contains an encrypted Ticket Granting Ticket (TGT) for that user. ## The TGT can then be used to request further tickets for other services. @@ -48,7 +48,7 @@ event krb_as_response%(c: connection, msg: KRB::KDC_Response%); ## krb_ap_response krb_priv krb_safe krb_cred krb_error event krb_tgs_request%(c: connection, msg: KRB::KDC_Request%); -## A Kerberos 5 ``Ticket Granting Service (TGS) Reply`` as defined +## A Kerberos 5 ``Ticket Granting Service (TGS) Response`` as defined ## in :rfc:`4120`. This message returns a Service Ticket to the client, ## which is encrypted with the service's long-term key, and which the ## client can use to authenticate to that service. @@ -82,7 +82,7 @@ event krb_tgs_response%(c: connection, msg: KRB::KDC_Response%); ## krb_ap_response krb_priv krb_safe krb_cred krb_error event krb_ap_request%(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options%); -## A Kerberos 5 ``Authentication Header (AP) Reply`` as defined +## A Kerberos 5 ``Authentication Header (AP) Response`` as defined ## in :rfc:`4120`. This is used if mutual authentication is desired. ## All of the interesting information in here is encrypted, so the event ## doesn't have much useful data, but it's provided in case it's important diff --git a/src/analyzer/protocol/krb/krb-asn1.pac b/src/analyzer/protocol/krb/krb-asn1.pac index 13c5347be8..99741d7a48 100644 --- a/src/analyzer/protocol/krb/krb-asn1.pac +++ b/src/analyzer/protocol/krb/krb-asn1.pac @@ -48,7 +48,7 @@ Val* GetTimeFromAsn1(StringVal* atime, int64 usecs) if ( !lResult ) lResult = 0; - return new Val(double(lResult + (usecs/100000)), TYPE_TIME); + return new Val(double(lResult + double(usecs/100000.0)), TYPE_TIME); } Val* asn1_integer_to_val(const ASN1Integer* i, TypeTag t)