Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Kerberos: A couple small tweaks.

Browse source
This commit is contained in:
Vlad Grigorescu 2015-02-06 13:05:09 -05:00
parent dfc42ffe8a
commit 9f19c74a10
3 changed files with 37 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

35
scripts/base/protocols/krb/main.bro
View file

@ -14,16 +14,29 @@ export {
uid: string &log; uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports. ## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log; id: conn_id &log;
## Request type - Authentication Service ("AS") or
## Ticket Granting Service ("TGS")
request_type: string &log &optional;
## Client ## Client
client: string &log &optional; client: string &log &optional;
## Service ## Service
service: string &log; service: string &log;
## Request result
success: bool &log &optional;
## Error code
error_code: count &optional;
## Error message
error_msg: string &log &optional;
## Ticket valid from ## Ticket valid from
from: time &log &optional; from: time &log &optional;
## Ticket valid till ## Ticket valid till
till: time &log &optional; till: time &log &optional;
## Ticket encryption type ## Ticket encryption type
cipher: string &log &optional; cipher: string &log &optional;
## Forwardable ticket requested ## Forwardable ticket requested
forwardable: bool &log &optional; forwardable: bool &log &optional;
## Proxiable ticket requested ## Proxiable ticket requested
@ -32,6 +45,7 @@ export {
postdated: bool &log &optional; postdated: bool &log &optional;
## Renewable ticket requested ## Renewable ticket requested
renewable: bool &log &optional; renewable: bool &log &optional;
## The request is for a renewal ## The request is for a renewal
renew_request: bool &log &optional; renew_request: bool &log &optional;
# The request is to validate a postdated ticket # The request is to validate a postdated ticket
@ -41,12 +55,6 @@ export {
# NetBIOS addresses supplied by the client # NetBIOS addresses supplied by the client
netbios_addrs: vector of string &log &optional; netbios_addrs: vector of string &log &optional;
## Request result
success: bool &log &optional;
## Error code
error_code: count &log &optional;
## Error message
error_msg: string &log &optional;
## We've already logged this ## We've already logged this
logged: bool &default=F; logged: bool &default=F;
}; };
@ -141,6 +149,7 @@ event krb_as_request(c: connection, msg: KDC_Request) &priority=5
else else
info = c$krb; info = c$krb;
info$request_type = "AS";
info$client = fmt("%s/%s", msg$client_name, msg$service_realm); info$client = fmt("%s/%s", msg$client_name, msg$service_realm);
info$service = msg$service_name; info$service = msg$service_name;
@ -166,11 +175,15 @@ event krb_as_request(c: connection, msg: KDC_Request) &priority=5
} }
info$till = msg$till; info$till = msg$till;
info$forwardable = msg$kdc_options$forwardable; info$forwardable = msg$kdc_options$forwardable;
info$proxiable = msg$kdc_options$proxiable; info$proxiable = msg$kdc_options$proxiable;
info$postdated = msg$kdc_options$postdated; info$postdated = msg$kdc_options$postdated;
info$renewable = msg$kdc_options$renewable; info$renewable = msg$kdc_options$renewable;
info$renew_request = msg$kdc_options$renew;
info$validate_request = msg$kdc_options$validate;
c$krb = info; c$krb = info;
} }
@ -183,10 +196,19 @@ event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5
info$ts = network_time(); info$ts = network_time();
info$uid = c$uid; info$uid = c$uid;
info$id = c$id; info$id = c$id;
info$request_type = "TGS";
info$service = msg$service_name; info$service = msg$service_name;
if ( msg?$from ) info$from = msg$from; if ( msg?$from ) info$from = msg$from;
info$till = msg$till; info$till = msg$till;
info$forwardable = msg$kdc_options$forwardable;
info$proxiable = msg$kdc_options$proxiable;
info$postdated = msg$kdc_options$postdated;
info$renewable = msg$kdc_options$renewable;
info$renew_request = msg$kdc_options$renew;
info$validate_request = msg$kdc_options$validate;
c$krb = info; c$krb = info;
} }
@ -211,6 +233,7 @@ event krb_as_response(c: connection, msg: KDC_Response) &priority=5
info$client = fmt("%s/%s", msg$client_name, msg$client_realm); info$client = fmt("%s/%s", msg$client_name, msg$client_realm);
info$service = msg$ticket$service_name; info$service = msg$ticket$service_name;
info$cipher = cipher_name[msg$ticket$cipher];
info$success = T; info$success = T;
c$krb = info; c$krb = info;

6
src/analyzer/protocol/krb/events.bif
View file

@ -15,7 +15,7 @@
## krb_ap_response krb_priv krb_safe krb_cred krb_error ## krb_ap_response krb_priv krb_safe krb_cred krb_error
event krb_as_request%(c: connection, msg: KRB::KDC_Request%); event krb_as_request%(c: connection, msg: KRB::KDC_Request%);
## A Kerberos 5 ``Authentication Server (AS) Reply`` as defined ## A Kerberos 5 ``Authentication Server (AS) Response`` as defined
## in :rfc:`4120`. Following the AS request for a user, an AS reply ## in :rfc:`4120`. Following the AS request for a user, an AS reply
## contains an encrypted Ticket Granting Ticket (TGT) for that user. ## contains an encrypted Ticket Granting Ticket (TGT) for that user.
## The TGT can then be used to request further tickets for other services. ## The TGT can then be used to request further tickets for other services.
@ -48,7 +48,7 @@ event krb_as_response%(c: connection, msg: KRB::KDC_Response%);
## krb_ap_response krb_priv krb_safe krb_cred krb_error ## krb_ap_response krb_priv krb_safe krb_cred krb_error
event krb_tgs_request%(c: connection, msg: KRB::KDC_Request%); event krb_tgs_request%(c: connection, msg: KRB::KDC_Request%);
## A Kerberos 5 ``Ticket Granting Service (TGS) Reply`` as defined ## A Kerberos 5 ``Ticket Granting Service (TGS) Response`` as defined
## in :rfc:`4120`. This message returns a Service Ticket to the client, ## in :rfc:`4120`. This message returns a Service Ticket to the client,
## which is encrypted with the service's long-term key, and which the ## which is encrypted with the service's long-term key, and which the
## client can use to authenticate to that service. ## client can use to authenticate to that service.
@ -82,7 +82,7 @@ event krb_tgs_response%(c: connection, msg: KRB::KDC_Response%);
## krb_ap_response krb_priv krb_safe krb_cred krb_error ## krb_ap_response krb_priv krb_safe krb_cred krb_error
event krb_ap_request%(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options%); event krb_ap_request%(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options%);
## A Kerberos 5 ``Authentication Header (AP) Reply`` as defined ## A Kerberos 5 ``Authentication Header (AP) Response`` as defined
## in :rfc:`4120`. This is used if mutual authentication is desired. ## in :rfc:`4120`. This is used if mutual authentication is desired.
## All of the interesting information in here is encrypted, so the event ## All of the interesting information in here is encrypted, so the event
## doesn't have much useful data, but it's provided in case it's important ## doesn't have much useful data, but it's provided in case it's important

2
src/analyzer/protocol/krb/krb-asn1.pac
View file

@ -48,7 +48,7 @@ Val* GetTimeFromAsn1(StringVal* atime, int64 usecs)
if ( !lResult ) if ( !lResult )
lResult = 0; lResult = 0;
return new Val(double(lResult + (usecs/100000)), TYPE_TIME); return new Val(double(lResult + double(usecs/100000.0)), TYPE_TIME);
} }
Val* asn1_integer_to_val(const ASN1Integer* i, TypeTag t) Val* asn1_integer_to_val(const ASN1Integer* i, TypeTag t)