Documentation update, and rework events a bit.

scripts/base/init-bare.bro

@@ -3136,7 +3136,7 @@ export {
 	};
 
 	## The data from the AS_REQ and TGS_REQ messages. See :rfc:`4120`.
-	type KRB::KDC_Reply: record {
+	type KRB::KDC_Response: record {
 		## Protocol version number (5 for KRB5)
 		pvno				: count;
 		## The message type (11 for AS_REP, 13 for TGS_REP)

scripts/base/protocols/krb/files.bro

@@ -126,12 +126,12 @@ event krb_error(c: connection, msg: Error_Msg)
 	fill_in_subjects(c);
 	}
 
-event krb_as_rep(c: connection, msg: KDC_Reply)
+event krb_as_response(c: connection, msg: KDC_Response)
 	{
 	fill_in_subjects(c);
 	}
 
-event krb_tgs_rep(c: connection, msg: KDC_Reply)
+event krb_tgs_response(c: connection, msg: KDC_Response)
 	{
 	fill_in_subjects(c);
 	}

scripts/base/protocols/krb/main.bro

@@ -71,14 +71,9 @@ redef record connection += {
 	krb: Info &optional;
 };
 
-const udp_ports = { 88/udp, 750/udp };
-const tcp_ports = { 88/tcp, 750/tcp };
-
 event bro_init() &priority=5
 	{
 	Log::create_stream(KRB::LOG, [$columns=Info, $ev=log_krb]);
-#	Analyzer::register_for_ports(Analyzer::ANALYZER_KRB, udp_ports);
-#	Analyzer::register_for_ports(Analyzer::ANALYZER_KRB_TCP, tcp_ports);
 	}
 
 event krb_error(c: connection, msg: Error_Msg) &priority=5
@@ -135,7 +130,7 @@ event krb_error(c: connection, msg: Error_Msg) &priority=-5
 		}
 	}
 
-event krb_as_req(c: connection, msg: KDC_Request) &priority=5
+event krb_as_request(c: connection, msg: KDC_Request) &priority=5
 	{
 	if ( c?$krb && c$krb$logged )
 		return;
@@ -186,7 +181,7 @@ event krb_as_req(c: connection, msg: KDC_Request) &priority=5
 	c$krb = info;
 	}
 
-event krb_tgs_req(c: connection, msg: KDC_Request) &priority=5
+event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5
 	{
 	if ( c?$krb && c$krb$logged )
 		return;
@@ -203,7 +198,7 @@ event krb_tgs_req(c: connection, msg: KDC_Request) &priority=5
 	c$krb = info;
 	}
 
-event krb_as_rep(c: connection, msg: KDC_Reply) &priority=5
+event krb_as_response(c: connection, msg: KDC_Response) &priority=5
 	{
 	local info: Info;
 
@@ -229,14 +224,14 @@ event krb_as_rep(c: connection, msg: KDC_Reply) &priority=5
 	c$krb = info;
 	}
 
-event krb_as_rep(c: connection, msg: KDC_Reply) &priority=-5
+event krb_as_response(c: connection, msg: KDC_Response) &priority=-5
 	{
 		
 	Log::write(KRB::LOG, c$krb);
 	c$krb$logged = T;
 	}
 
-event krb_tgs_rep(c: connection, msg: KDC_Reply) &priority=5
+event krb_tgs_response(c: connection, msg: KDC_Response) &priority=5
 	{
 	local info: Info;
 
@@ -262,7 +257,7 @@ event krb_tgs_rep(c: connection, msg: KDC_Reply) &priority=5
 	c$krb = info;
 	}
 
-event krb_tgs_rep(c: connection, msg: KDC_Reply) &priority=-5
+event krb_tgs_response(c: connection, msg: KDC_Response) &priority=-5
 	{
 	Log::write(KRB::LOG, c$krb);
 	c$krb$logged = T;

src/analyzer/protocol/krb/events.bif

@@ -1,84 +1,160 @@
 ## A Kerberos 5 ``Authentication Server (AS) Request`` as defined
-## in :rfc:`4120`.
+## in :rfc:`4120`. The AS request contains a username of the client
+## requesting authentication, and returns an AS reply with an
+## encrypted Ticket Granting Ticket (TGT) for that user. The TGT
+## can then be used to request further tickets for other services.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+## more information about the Kerberos protocol.
 ##
 ## c: The connection over which this Kerberos message was sent.
 ##
 ## msg: A Kerberos KDC request message data structure.
-event krb_as_req%(c: connection, msg: KRB::KDC_Request%);
-
-## A Kerberos 5 ``Ticket-Granting Service (TGS) Request`` as defined
-## in :rfc:`4120`.
 ##
-## c: The connection over which this Kerberos message was sent.
-##
-## msg: A Kerberos KDC request message data structure.
-event krb_tgs_req%(c: connection, msg: KRB::KDC_Request%);
+## .. bro:see:: krb_as_response krb_tgs_request krb_tgs_response krb_ap_request
+##    krb_ap_response krb_priv krb_safe krb_cred krb_error
+event krb_as_request%(c: connection, msg: KRB::KDC_Request%);
 
 ## A Kerberos 5 ``Authentication Server (AS) Reply`` as defined
-## in :rfc:`4120`.
+## in :rfc:`4120`. Following the AS request for a user, an AS reply
+## contains an encrypted Ticket Granting Ticket (TGT) for that user. 
+## The TGT can then be used to request further tickets for other services.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+## more information about the Kerberos protocol.
 ##
 ## c: The connection over which this Kerberos message was sent.
 ##
 ## msg: A Kerberos KDC reply message data structure.
-event krb_as_rep%(c: connection, msg: KRB::KDC_Reply%);
-
-## A Kerberos 5 ``Ticket-Granting Service (TGS) Reply`` as defined
-## in :rfc:`4120`.
 ##
-## c: The connection over which this Kerberos message was sent.
-##
-## msg: A Kerberos KDC reply message data structure.
-event krb_tgs_rep%(c: connection, msg: KRB::KDC_Reply%);
+## .. bro:see:: krb_as_request krb_tgs_request krb_tgs_response krb_ap_request
+##    krb_ap_response krb_priv krb_safe krb_cred krb_error
+event krb_as_response%(c: connection, msg: KRB::KDC_Response%);
 
-## A Kerberos 5 ``Authentication Header (AP) Request`` as defined
-## in :rfc:`4120`.
+## A Kerberos 5 ``Ticket Granting Service (TGS) Request`` as defined
+## in :rfc:`4120`. Following the Authentication Server exchange, if
+## successful, the client now has a Ticket Granting Ticket (TGT). To
+## authenticate to a Kerberized service, the client requests a Service
+## Ticket, which will be returned in the TGS reply.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+## more information about the Kerberos protocol.
 ##
 ## c: The connection over which this Kerberos message was sent.
 ##
 ## msg: A Kerberos KDC request message data structure.
-event krb_ap_req%(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options%);
+##
+## .. bro:see:: krb_as_request krb_as_response krb_tgs_response krb_ap_request
+##    krb_ap_response krb_priv krb_safe krb_cred krb_error
+event krb_tgs_request%(c: connection, msg: KRB::KDC_Request%);
+
+## A Kerberos 5 ``Ticket Granting Service (TGS) Reply`` as defined
+## in :rfc:`4120`. This message returns a Service Ticket to the client,
+## which is encrypted with the service's long-term key, and which the
+## client can use to authenticate to that service.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+## more information about the Kerberos protocol.
+##
+## c: The connection over which this Kerberos message was sent.
+##
+## msg: A Kerberos KDC reply message data structure.
+##
+## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_ap_request
+##    krb_ap_response krb_priv krb_safe krb_cred krb_error
+event krb_tgs_response%(c: connection, msg: KRB::KDC_Response%);
+
+## A Kerberos 5 ``Authentication Header (AP) Request`` as defined
+## in :rfc:`4120`. This message contains authentication information
+## that should be part of the first message in an authenticated
+## transaction.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+## more information about the Kerberos protocol.
+##
+## c: The connection over which this Kerberos message was sent.
+##
+## ticket: The Kerberos ticket being used for authentication.
+##
+## opts: A Kerberos AP options data structure.
+##
+## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+##    krb_ap_response krb_priv krb_safe krb_cred krb_error
+event krb_ap_request%(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options%);
 
 ## A Kerberos 5 ``Authentication Header (AP) Reply`` as defined
 ## in :rfc:`4120`. This is used if mutual authentication is desired.
 ## All of the interesting information in here is encrypted, so the event
-## doesn't have much useful data, but it's available in case it's important
+## doesn't have much useful data, but it's provided in case it's important
 ## to know that this message was sent.
 ##
-## c: The connection over which this Kerberos message was sent.
-##
-## msg: A Kerberos KDC request message data structure.
-event krb_ap_rep%(c: connection%);
-
-## A Kerberos 5 ``Private Message`` as defined
-## in :rfc:`4120`. This is an encrypted message, so the event
-## doesn't have much useful data, but it's available in case it's important
-## to know that this message was sent.
+## See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+## more information about the Kerberos protocol.
 ##
 ## c: The connection over which this Kerberos message was sent.
 ##
-## msg: A Kerberos KDC request message data structure.
-event krb_priv%(c: connection%);
+## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+##    krb_ap_request krb_priv krb_safe krb_cred krb_error
+event krb_ap_response%(c: connection%);
 
-## A Kerberos 5 ``Credential Message`` as defined
-## in :rfc:`4120`. 
+## A Kerberos 5 ``Private Message`` as defined in :rfc:`4120`. This 
+## is a private (encrypted) application message, so the event doesn't 
+## have much useful data, but it's provided in case it's important to 
+## know that this message was sent.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+## more information about the Kerberos protocol.
 ##
 ## c: The connection over which this Kerberos message was sent.
 ##
-## msg: A Kerberos KDC request message data structure.
-event krb_cred%(c: connection, tickets: KRB::Ticket_Vector%);
+## is_orig: Whether the originator of the connection sent this message.
+##
+## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+##    krb_ap_request krb_ap_response krb_safe krb_cred krb_error
+event krb_priv%(c: connection, is_orig: bool%);
 
-## A Kerberos 5 ``Credential Message`` as defined
-## in :rfc:`4120`. 
+## A Kerberos 5 ``Safe Message`` as defined in :rfc:`4120`. This is a 
+## safe (checksummed) application message.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+## more information about the Kerberos protocol.
 ##
 ## c: The connection over which this Kerberos message was sent.
 ##
-## msg: A Kerberos KDC request message data structure.
-event krb_safe_msg%(c: connection, msg: KRB::SAFE_Msg%);
+## is_orig: Whether the originator of the connection sent this message.
+##
+## msg: A Kerberos SAFE message data structure.
+##
+## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+##    krb_ap_request krb_ap_response krb_priv krb_cred krb_error
+event krb_safe%(c: connection, is_orig: bool, msg: KRB::SAFE_Msg%);
 
-## A Kerberos 5 ``ERROR_MSG`` as defined in :rfc:`4120`.
+## A Kerberos 5 ``Credential Message`` as defined in :rfc:`4120`. This is
+## a private (encrypted) message to forward credentials.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+## more information about the Kerberos protocol.
+##
+## c: The connection over which this Kerberos message was sent.
+##
+## is_orig: Whether the originator of the connection sent this message.
+##
+## msg: A Kerberos KDC request message data structure.
+##
+## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+##    krb_ap_request krb_ap_response krb_priv krb_safe krb_error
+event krb_cred%(c: connection, is_orig: bool, tickets: KRB::Ticket_Vector%);
+
+## A Kerberos 5 ``Error Message`` as defined in :rfc:`4120`.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+## more information about the Kerberos protocol.
 ##
 ## c: The connection over which this Kerberos message was sent.
 ##
 ## msg: A Kerberos error message data structure.
+##
+## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+##    krb_ap_request krb_ap_response krb_priv krb_safe krb_cred
 event krb_error%(c: connection, msg: KRB::Error_Msg%);
 

src/analyzer/protocol/krb/krb-analyzer.pac

@@ -166,38 +166,38 @@ bool proc_error_arguments(RecordVal* rv, const std::vector<KRB_ERROR_Arg*>* args
 
 refine connection KRB_Conn += {
 
-	function proc_krb_kdc_req(msg: KRB_KDC_REQ): bool
+	function proc_krb_kdc_req_msg(msg: KRB_KDC_REQ): bool
 		%{
 		bro_analyzer()->ProtocolConfirmation();
-		if ( ( binary_to_int64(${msg.msg_type.data.content}) == 10 ) && ! krb_as_req )
+		if ( ( binary_to_int64(${msg.msg_type.data.content}) == 10 ) && ! krb_as_request )
 			return false;
 
-		if ( ( binary_to_int64(${msg.msg_type.data.content}) == 12 ) && ! krb_tgs_req )
+		if ( ( binary_to_int64(${msg.msg_type.data.content}) == 12 ) && ! krb_tgs_request )
 			return false;		
 
 		RecordVal* rv = proc_krb_kdc_req_arguments(${msg}, bro_analyzer());
 
 		if ( ( binary_to_int64(${msg.msg_type.data.content}) == 10 ) )
-			BifEvent::generate_krb_as_req(bro_analyzer(), bro_analyzer()->Conn(), rv);
+			BifEvent::generate_krb_as_request(bro_analyzer(), bro_analyzer()->Conn(), rv);
 
 		if ( ( binary_to_int64(${msg.msg_type.data.content}) == 12 ) )
-			BifEvent::generate_krb_tgs_req(bro_analyzer(), bro_analyzer()->Conn(), rv);
+			BifEvent::generate_krb_tgs_request(bro_analyzer(), bro_analyzer()->Conn(), rv);
 				
 		return true;
 		%}
 
- 	function proc_krb_kdc_rep(msg: KRB_KDC_REP): bool
+ 	function proc_krb_kdc_rep_msg(msg: KRB_KDC_REP): bool
 		%{
 		bro_analyzer()->ProtocolConfirmation();
 		
-		if ( ( binary_to_int64(${msg.msg_type.data.content}) == 11 ) && ! krb_as_rep )
+		if ( ( binary_to_int64(${msg.msg_type.data.content}) == 11 ) && ! krb_as_response )
 			return false;
 
-		if ( ( binary_to_int64(${msg.msg_type.data.content}) == 13 ) && ! krb_tgs_rep )
+		if ( ( binary_to_int64(${msg.msg_type.data.content}) == 13 ) && ! krb_tgs_response )
 			return false;
 		
 		
-		RecordVal* rv = new RecordVal(BifType::Record::KRB::KDC_Reply);
+		RecordVal* rv = new RecordVal(BifType::Record::KRB::KDC_Response);
 
 		rv->Assign(0, asn1_integer_to_val(${msg.pvno.data}, TYPE_COUNT));
 		rv->Assign(1, asn1_integer_to_val(${msg.msg_type.data}, TYPE_COUNT));
@@ -211,10 +211,10 @@ refine connection KRB_Conn += {
 		rv->Assign(5, proc_ticket(${msg.ticket}));
 
 		if ( ( binary_to_int64(${msg.msg_type.data.content}) == 11 ) )
-			BifEvent::generate_krb_as_rep(bro_analyzer(), bro_analyzer()->Conn(), rv);
+			BifEvent::generate_krb_as_response(bro_analyzer(), bro_analyzer()->Conn(), rv);
 
 		if ( ( binary_to_int64(${msg.msg_type.data.content}) == 13 ) )
-			BifEvent::generate_krb_tgs_rep(bro_analyzer(), bro_analyzer()->Conn(), rv);
+			BifEvent::generate_krb_tgs_response(bro_analyzer(), bro_analyzer()->Conn(), rv);
 				
 		return true;
    		%}
@@ -233,27 +233,27 @@ refine connection KRB_Conn += {
     		return true;
     		%}
     
- 	function proc_krb_ap_req(msg: KRB_AP_REQ): bool
+ 	function proc_krb_ap_req_msg(msg: KRB_AP_REQ): bool
 		%{
 		bro_analyzer()->ProtocolConfirmation();
-		if ( krb_ap_req )
+		if ( krb_ap_request )
 			{
 			RecordVal* rv = new RecordVal(BifType::Record::KRB::AP_Options);
 			rv->Assign(0, new Val(${msg.ap_options.use_session_key}, TYPE_BOOL));
 			rv->Assign(1, new Val(${msg.ap_options.mutual_required}, TYPE_BOOL));
 			
-			BifEvent::generate_krb_ap_req(bro_analyzer(), bro_analyzer()->Conn(), 
+			BifEvent::generate_krb_ap_request(bro_analyzer(), bro_analyzer()->Conn(), 
 						      proc_ticket(${msg.ticket}), rv);
 			}
    		return true;
    		%}
     
- 	function proc_krb_ap_rep(msg: KRB_AP_REP): bool
+ 	function proc_krb_ap_rep_msg(msg: KRB_AP_REP): bool
 		%{
 		bro_analyzer()->ProtocolConfirmation();
-		if ( krb_ap_rep )
+		if ( krb_ap_response )
 			{
-			BifEvent::generate_krb_ap_rep(bro_analyzer(), bro_analyzer()->Conn());
+			BifEvent::generate_krb_ap_response(bro_analyzer(), bro_analyzer()->Conn());
 			}
    		return true;
    		%}
@@ -261,7 +261,7 @@ refine connection KRB_Conn += {
  	function proc_krb_safe_msg(msg: KRB_SAFE_MSG): bool
 		%{
 		bro_analyzer()->ProtocolConfirmation();
-		if ( krb_safe_msg )
+		if ( krb_safe )
 			{
 			RecordVal* rv = new RecordVal(BifType::Record::KRB::SAFE_Msg);
 
@@ -311,7 +311,7 @@ refine connection KRB_Conn += {
 						break;
 					}
 				}
-			BifEvent::generate_krb_safe_msg(bro_analyzer(), bro_analyzer()->Conn(), rv);
+			BifEvent::generate_krb_safe(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}, rv);
 			}
 		return true;
    		%}
@@ -321,7 +321,7 @@ refine connection KRB_Conn += {
 		bro_analyzer()->ProtocolConfirmation();
 		if ( krb_priv )
 			{
-			BifEvent::generate_krb_priv(bro_analyzer(), bro_analyzer()->Conn());
+			BifEvent::generate_krb_priv(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig});
 			}
    		return true;
    		%}
@@ -331,7 +331,8 @@ refine connection KRB_Conn += {
 		bro_analyzer()->ProtocolConfirmation();
 		if ( krb_cred )
 			{
-			BifEvent::generate_krb_cred(bro_analyzer(), bro_analyzer()->Conn(), proc_tickets(${msg.tickets}));
+			BifEvent::generate_krb_cred(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}, 
+						    proc_tickets(${msg.tickets}));
 			}
    		return true;
 
@@ -340,27 +341,27 @@ refine connection KRB_Conn += {
 
 
 refine typeattr KRB_AS_REQ += &let {
-	proc: bool = $context.connection.proc_krb_kdc_req(data);
+	proc: bool = $context.connection.proc_krb_kdc_req_msg(data);
 };
     
 refine typeattr KRB_TGS_REQ += &let {
-	proc: bool = $context.connection.proc_krb_kdc_req(data);
+	proc: bool = $context.connection.proc_krb_kdc_req_msg(data);
 };
     
 refine typeattr KRB_AS_REP += &let {
-	proc: bool = $context.connection.proc_krb_kdc_rep(data);
+	proc: bool = $context.connection.proc_krb_kdc_rep_msg(data);
 };
     
 refine typeattr KRB_TGS_REP += &let {
-	proc: bool = $context.connection.proc_krb_kdc_rep(data);
+	proc: bool = $context.connection.proc_krb_kdc_rep_msg(data);
 };
     
 refine typeattr KRB_AP_REQ += &let {
-	proc: bool = $context.connection.proc_krb_ap_req(this);
+	proc: bool = $context.connection.proc_krb_ap_req_msg(this);
 };
     
 refine typeattr KRB_AP_REP += &let {
-	proc: bool = $context.connection.proc_krb_ap_rep(this);
+	proc: bool = $context.connection.proc_krb_ap_rep_msg(this);
 };
     
 refine typeattr KRB_ERROR_MSG += &let {

src/analyzer/protocol/krb/krb-padata.pac

@@ -115,9 +115,9 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a
 
 
 # Encapsulating header #1 for KDC_REQ/KDC_REP packets where the PADATA is optional.
-type KRB_PA_Data_Optional(pkt_type: uint8, desired_index: uint8) = record {
+type KRB_PA_Data_Optional(is_orig: bool, pkt_type: uint8, desired_index: uint8) = record {
 	first_meta	: ASN1EncodingMeta;
-	padata		: KRB_PA_Data_Optional_Contents(has_padata, pkt_type, first_meta.length);
+	padata		: KRB_PA_Data_Optional_Contents(is_orig, has_padata, pkt_type, first_meta.length);
 	next_meta	: ASN1OptionalEncodingMeta(has_padata, first_meta);
 } &let {
 	has_padata : bool = first_meta.index == desired_index;
@@ -126,23 +126,23 @@ type KRB_PA_Data_Optional(pkt_type: uint8, desired_index: uint8) = record {
 # Encapsulating header #2 for KDC_REQ/KDC_REP packets where the PADATA is optional.
 #
 # Note: Split off due to a BinPAC bug
-type KRB_PA_Data_Optional_Contents(is_present: bool, pkt_type: uint8, length: uint64) = case is_present of {
-	true -> padata: KRB_PA_Data_Sequence(pkt_type) &length=length;
+type KRB_PA_Data_Optional_Contents(is_orig: bool, is_present: bool, pkt_type: uint8, length: uint64) = case is_present of {
+	true -> padata: KRB_PA_Data_Sequence(is_orig, pkt_type) &length=length;
 	false -> none: empty;
 };
 
 # This is our main type
-type KRB_PA_Data_Sequence(pkt_type: uint8) = record {
+type KRB_PA_Data_Sequence(is_orig: bool, pkt_type: uint8) = record {
 	meta    	: ASN1EncodingMeta;
-	data		: KRB_PA_Data_Container(pkt_type, meta.tag, meta.length);
+	data		: KRB_PA_Data_Container(is_orig, pkt_type, meta.tag, meta.length);
 };
 
 # The data in KRB_PA_Data_Sequence is usually (and supposed to be) a sequence, which we'll parse,
 # but is sometimes an octet string. We'll grab that but ignore it.
 #
 # Note: This is a separate type due to a BinPAC bug.
-type KRB_PA_Data_Container(pkt_type: uint8, tag: uint8, length: uint64) = case tag of {
-	ASN1_SEQUENCE_TAG	-> padata_elems	: KRB_PA_Data(pkt_type)[];
+type KRB_PA_Data_Container(is_orig: bool, pkt_type: uint8, tag: uint8, length: uint64) = case tag of {
+	ASN1_SEQUENCE_TAG	-> padata_elems	: KRB_PA_Data(is_orig, pkt_type)[];
 	default 		-> unknown	: bytestring &length=length;
 } &let {
 	has_padata: bool = (tag == ASN1_SEQUENCE_TAG);
@@ -151,21 +151,21 @@ type KRB_PA_Data_Container(pkt_type: uint8, tag: uint8, length: uint64) = case t
 # The pre-auth data sequence.
 #
 # Note: Error packets don't have pre-auth data, they just advertise which mechanisms they support.
-type KRB_PA_Data(pkt_type: uint8) = record {
+type KRB_PA_Data(is_orig: bool, pkt_type: uint8) = record {
 	seq_meta	  : ASN1EncodingMeta;
 	pa_data_type      : SequenceElement(true);
 	pa_data_elem_meta : ASN1EncodingMeta;
 	have_data	  : case pkt_type of {
 		KRB_ERROR   -> pa_data_placeholder: bytestring &length=pa_data_elem_meta.length;
-		default	    -> pa_data_element : KRB_PA_Data_Element(data_type, pa_data_elem_meta.length);
+		default	    -> pa_data_element : KRB_PA_Data_Element(is_orig, data_type, pa_data_elem_meta.length);
 	} &requires(data_type);
 } &let {
 	data_type: int64 = binary_to_int64(pa_data_type.data.content);
 };
 
 # Each pre-auth element
-type KRB_PA_Data_Element(type: int64, length: uint64) = case type of {
-	PA_TGS_REQ      -> pa_tgs_req	: KRB_AP_REQ;
+type KRB_PA_Data_Element(is_orig: bool, type: int64, length: uint64) = case type of {
+	PA_TGS_REQ      -> pa_tgs_req	: KRB_AP_REQ(is_orig);
 	PA_PW_SALT      -> pa_pw_salt	: ASN1OctetString;
 	PA_PW_AS_REQ	-> pa_pk_as_req	: KRB_PA_PK_AS_Req &length=length;
 	PA_PW_AS_REP	-> pa_pk_as_rep	: KRB_PA_PK_AS_Rep &length=length;

src/analyzer/protocol/krb/krb-protocol.pac

@@ -11,50 +11,50 @@
 %include krb-padata.pac
 
 # KRB over TCP is the same as over UDP, but prefixed with a uint32 denoting the size
-type KRB_PDU_TCP = record {
+type KRB_PDU_TCP(is_orig: bool) = record {
 	size	: uint32;
-	pdu	: KRB_PDU;
+	pdu	: KRB_PDU(is_orig);
 } &length=size+4 &byteorder=bigendian;
 
-type KRB_PDU = record {
+type KRB_PDU(is_orig: bool) = record {
 	app_meta  : ASN1EncodingMeta;
 	msg_type  : case (app_meta.tag - ASN1_APP_TAG_OFFSET) of {
-		AS_REQ    -> as_req   : KRB_AS_REQ;
-		AS_REP    -> as_rep   : KRB_AS_REP;
-		TGS_REQ   -> tgs_req  : KRB_TGS_REQ;
-		TGS_REP   -> tgs_rep  : KRB_TGS_REP;
-		AP_REQ    -> ap_req   : KRB_AP_REQ;
-		AP_REP    -> ap_rep   : KRB_AP_REP;
-		KRB_SAFE  -> krb_safe : KRB_SAFE_MSG;
-		KRB_PRIV  -> krb_priv : KRB_PRIV_MSG;
-		KRB_CRED  -> krb_cred : KRB_CRED_MSG;
-		KRB_ERROR -> krb_error: KRB_ERROR_MSG;
+		AS_REQ    -> as_req   : KRB_AS_REQ(is_orig);
+		AS_REP    -> as_rep   : KRB_AS_REP(is_orig);
+		TGS_REQ   -> tgs_req  : KRB_TGS_REQ(is_orig);
+		TGS_REP   -> tgs_rep  : KRB_TGS_REP(is_orig);
+		AP_REQ    -> ap_req   : KRB_AP_REQ(is_orig);
+		AP_REP    -> ap_rep   : KRB_AP_REP(is_orig);
+		KRB_SAFE  -> krb_safe : KRB_SAFE_MSG(is_orig);
+		KRB_PRIV  -> krb_priv : KRB_PRIV_MSG(is_orig);
+		KRB_CRED  -> krb_cred : KRB_CRED_MSG(is_orig);
+		KRB_ERROR -> krb_error: KRB_ERROR_MSG(is_orig);
 	};
 } &byteorder=bigendian;
 
-type KRB_AS_REQ = record {
-	data: KRB_KDC_REQ(AS_REQ);
+type KRB_AS_REQ(is_orig: bool) = record {
+	data: KRB_KDC_REQ(is_orig, AS_REQ);
 };
 
-type KRB_TGS_REQ = record {
-	data: KRB_KDC_REQ(TGS_REQ);
+type KRB_TGS_REQ(is_orig: bool) = record {
+	data: KRB_KDC_REQ(is_orig, TGS_REQ);
 };
 
-type KRB_AS_REP = record {
-	data: KRB_KDC_REP(AS_REP);
+type KRB_AS_REP(is_orig: bool) = record {
+	data: KRB_KDC_REP(is_orig, AS_REP);
 };
 
-type KRB_TGS_REP = record {
-	data: KRB_KDC_REP(TGS_REP);
+type KRB_TGS_REP(is_orig: bool) = record {
+	data: KRB_KDC_REP(is_orig, TGS_REP);
 };
 
 ### A Kerberos ticket-granting-service or authentication-service request
 
-type KRB_KDC_REQ(pkt_type: uint8) = record {
+type KRB_KDC_REQ(is_orig: bool, pkt_type: uint8) = record {
 	seq_meta   : ASN1EncodingMeta;
 	pvno       : SequenceElement(true);
 	msg_type   : SequenceElement(true);
-	padata	   : KRB_PA_Data_Optional(pkt_type, 3);
+	padata	   : KRB_PA_Data_Optional(is_orig, pkt_type, 3);
 	body_meta  : ASN1EncodingMeta;
 	body_args  : KRB_REQ_Arg[];
 };
@@ -111,11 +111,11 @@ type KRB_KDC_Options = record {
 
 ### KDC_REP
 
-type KRB_KDC_REP(pkt_type: uint8) = record {
+type KRB_KDC_REP(is_orig: bool, pkt_type: uint8) = record {
 	seq_meta    : ASN1EncodingMeta;
 	pvno        : SequenceElement(true);
 	msg_type    : SequenceElement(true);
-	padata	    : KRB_PA_Data_Optional(pkt_type, 2);
+	padata	    : KRB_PA_Data_Optional(is_orig, pkt_type, 2);
 	client_realm: ASN1OctetString &length=padata.next_meta.length;
 	cname_meta  : ASN1EncodingMeta;
 	client_name : KRB_Principal_Name &length=cname_meta.length;
@@ -125,7 +125,7 @@ type KRB_KDC_REP(pkt_type: uint8) = record {
 
 ### AP_REQ
 
-type KRB_AP_REQ = record {
+type KRB_AP_REQ(is_orig: bool) = record {
 	string_meta : ASN1EncodingMeta;
 	app_meta    : ASN1EncodingMeta;
 	seq_meta    : ASN1EncodingMeta;
@@ -149,7 +149,7 @@ type KRB_AP_Options = record {
 
 ### AP_REP
 
-type KRB_AP_REP = record {
+type KRB_AP_REP(is_orig: bool) = record {
 	pvno 	: SequenceElement(true);
 	msg_type: SequenceElement(true);
 	enc_part: KRB_Encrypted_Data_in_Seq;
@@ -157,22 +157,22 @@ type KRB_AP_REP = record {
 
 ### KRB_ERROR
 
-type KRB_ERROR_MSG = record {
+type KRB_ERROR_MSG(is_orig: bool) = record {
 	seq_meta	: ASN1EncodingMeta;
-	args1		: KRB_ERROR_Arg(0)[] &until ($element.process_in_parent);
+	args1		: KRB_ERROR_Arg(is_orig, 0)[] &until ($element.process_in_parent);
 	error_code	: ASN1Integer;
-	args2		: KRB_ERROR_Arg(binary_to_int64(error_code.encoding.content))[];
+	args2		: KRB_ERROR_Arg(is_orig, binary_to_int64(error_code.encoding.content))[];
 };
 
-type KRB_ERROR_Arg(error_code: int64) = record {
+type KRB_ERROR_Arg(is_orig: bool, error_code: int64) = record {
 	seq_meta: ASN1EncodingMeta;
-	args	: KRB_ERROR_Arg_Data(seq_meta.index, error_code) &length=arg_length;
+	args	: KRB_ERROR_Arg_Data(is_orig, seq_meta.index, error_code) &length=arg_length;
 } &let {
 	process_in_parent: bool = seq_meta.index == 6;
 	arg_length : uint64 = ( process_in_parent ? 0 : seq_meta.length);
 };
 
-type KRB_ERROR_Arg_Data(index: uint8, error_code: int64) = case index of {
+type KRB_ERROR_Arg_Data(is_orig: bool, index: uint8, error_code: int64) = case index of {
 	0  -> pvno	: ASN1Integer;
 	1  -> msg_type	: ASN1Integer;
 	2  -> ctime	: KRB_Time;
@@ -185,17 +185,17 @@ type KRB_ERROR_Arg_Data(index: uint8, error_code: int64) = case index of {
 	9  -> realm	: ASN1OctetString;
 	10 -> sname	: KRB_Principal_Name;
 	11 -> e_text	: ASN1OctetString;
-	12 -> e_data	: KRB_ERROR_E_Data(error_code);
+	12 -> e_data	: KRB_ERROR_E_Data(is_orig, error_code);
 };
 
-type KRB_ERROR_E_Data(error_code: uint64) = case ( error_code == KDC_ERR_PREAUTH_REQUIRED ) of {
-	true 	-> padata 	: KRB_PA_Data_Sequence(KRB_ERROR);
+type KRB_ERROR_E_Data(is_orig: bool, error_code: uint64) = case ( error_code == KDC_ERR_PREAUTH_REQUIRED ) of {
+	true 	-> padata 	: KRB_PA_Data_Sequence(is_orig, KRB_ERROR);
 	false	-> unknown	: bytestring &restofdata;
 };
 
 ### KRB_SAFE
 
-type KRB_SAFE_MSG = record {
+type KRB_SAFE_MSG(is_orig: bool) = record {
 	pvno	 : SequenceElement(true);
 	msg_type : SequenceElement(true);
 	safe_body: KRB_SAFE_Body;
@@ -223,7 +223,7 @@ type KRB_SAFE_Arg_Data(index: uint8) = case index of {
 
 ### KRB_PRIV
 
-type KRB_PRIV_MSG = record {
+type KRB_PRIV_MSG(is_orig: bool) = record {
 	pvno	: SequenceElement(true);
 	msg_type: SequenceElement(true);
 	enc_part: KRB_Encrypted_Data_in_Seq;
@@ -231,7 +231,7 @@ type KRB_PRIV_MSG = record {
 
 ### KRB_CRED
 
-type KRB_CRED_MSG = record {
+type KRB_CRED_MSG(is_orig: bool) = record {
 	pvno	 : SequenceElement(true);
 	msg_type : SequenceElement(true);
 	tkts_meta: SequenceElement(false);

src/analyzer/protocol/krb/krb.pac

@@ -19,7 +19,7 @@ connection KRB_Conn(bro_analyzer: BroAnalyzer) {
 %include krb-protocol.pac
 
 flow KRB_Flow(is_orig: bool) {
-	datagram = KRB_PDU withcontext(connection, this);
+	datagram = KRB_PDU(is_orig) withcontext(connection, this);
 };
 
 %include krb-analyzer.pac

src/analyzer/protocol/krb/krb_TCP.pac

@@ -19,7 +19,7 @@ connection KRB_Conn(bro_analyzer: BroAnalyzer) {
 %include krb-protocol.pac
 
 flow KRB_Flow(is_orig: bool) {
-	flowunit = KRB_PDU_TCP withcontext(connection, this);
+	flowunit = KRB_PDU_TCP(is_orig) withcontext(connection, this);
 };
 
 %include krb-analyzer.pac

src/analyzer/protocol/krb/types.bif

@@ -12,6 +12,6 @@ type Host_Address: record;
 
 type KDC_Request: record;
 
-type KDC_Reply: record;
+type KDC_Response: record;
 
 module GLOBAL;