mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Merge branch 'krb5-ticket-tracking' of https://github.com/jrolli/bro into jrolli-krb5-ticket-tracking
This commit is contained in:
Seth Hall
commit
c40a89e5db
4 changed files with 56 additions and 3 deletions
|
|
@ -3955,6 +3955,8 @@ export {
|
|||
service_name : string;
|
||||
## Cipher the ticket was encrypted with
|
||||
cipher : count;
|
||||
## Cipher text of the ticket
|
||||
ciphertext : string &optional;
|
||||
};
|
||||
|
||||
type KRB::Ticket_Vector: vector of KRB::Ticket;
|
||||
|
|
|
|||
|
|
@ -164,9 +164,16 @@ event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5
|
|||
return;
|
||||
|
||||
local info: Info;
|
||||
info$ts = network_time();
|
||||
info$uid = c$uid;
|
||||
info$id = c$id;
|
||||
|
||||
if ( !c?$krb )
|
||||
{
|
||||
info$ts = network_time();
|
||||
info$uid = c$uid;
|
||||
info$id = c$id;
|
||||
}
|
||||
else
|
||||
info = c$krb;
|
||||
|
||||
info$request_type = "TGS";
|
||||
info$service = msg$service_name;
|
||||
if ( msg?$from ) info$from = msg$from;
|
||||
|
|
|
|||
43
scripts/policy/protocols/krb/ticket-logging.bro
Normal file
43
scripts/policy/protocols/krb/ticket-logging.bro
Normal file
|
|
@ -0,0 +1,43 @@
|
|||
module KRB;
|
||||
|
||||
redef record Info += {
|
||||
## Hash of ticket used to authorize request/transaction
|
||||
auth_ticket: string &log &optional;
|
||||
## Hash of ticket returned by the KDC
|
||||
new_ticket: string &log &optional;
|
||||
};
|
||||
|
||||
event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options)
|
||||
{
|
||||
if ( c?$krb && c$krb$logged )
|
||||
return;
|
||||
|
||||
local info: Info;
|
||||
|
||||
if ( !c?$krb )
|
||||
{
|
||||
info$ts = network_time();
|
||||
info$uid = c$uid;
|
||||
info$id = c$id;
|
||||
}
|
||||
else
|
||||
info = c$krb;
|
||||
|
||||
info$request_type = "AP"; # Will be overwritten when request is a TGS
|
||||
if ( ticket?$ciphertext )
|
||||
info$auth_ticket = md5_hash(ticket$ciphertext);
|
||||
|
||||
c$krb = info;
|
||||
}
|
||||
|
||||
event krb_as_response(c: connection, msg: KDC_Response)
|
||||
{
|
||||
if ( msg$ticket?$ciphertext )
|
||||
c$krb$new_ticket = md5_hash(msg$ticket$ciphertext);
|
||||
}
|
||||
|
||||
event krb_tgs_response(c: connection, msg: KDC_Response)
|
||||
{
|
||||
if ( msg$ticket?$ciphertext )
|
||||
c$krb$new_ticket = md5_hash(msg$ticket$ciphertext);
|
||||
}
|
||||
|
|
@ -95,6 +95,7 @@ RecordVal* proc_ticket(const KRB_Ticket* ticket)
|
|||
rv->Assign(1, bytestring_to_val(ticket->realm()->data()->content()));
|
||||
rv->Assign(2, GetStringFromPrincipalName(ticket->sname()));
|
||||
rv->Assign(3, asn1_integer_to_val(ticket->enc_part()->data()->etype()->data(), TYPE_COUNT));
|
||||
rv->Assign(4, bytestring_to_val(ticket->enc_part()->data()->ciphertext()));
|
||||
|
||||
return rv;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue