Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 03:28:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

GSSAPI analyzer now forwards authentication blobs more correctly (and other fixes).

Browse source 
Previously, the GSSAPI analyzer blindly forwarded authentication
blobs to the NTLM analyzer (which it instantiated too early). Now
it waits to instantiate sub analyzers until a blob of a particular
type has been seen.  It also makes the distinction between krb and
ntlm and forwards to the correct analyzer.

This required some fixes to the KRB analyzer because KRB over GSSAPI
looks slightly different than raw KRB.

The KRB analyzer also now includes support for the PA_ENCTYPE_INFO2
pre-auth data type.
This commit is contained in:
Seth Hall 2016-08-09 10:27:21 -04:00
parent 4a3dfe69b1
commit cbde25f1b8
5 changed files with 69 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

43
src/analyzer/protocol/gssapi/gssapi-analyzer.pac
View file

@ -2,10 +2,12 @@
refine connection GSSAPI_Conn += {
%member{
analyzer::Analyzer *ntlm;
analyzer::Analyzer *krb5;
%}
%init{
ntlm = analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer->Conn());
ntlm=0;
krb5=0;
%}
%cleanup{
@ -13,13 +15,44 @@ refine connection GSSAPI_Conn += {
{
ntlm->Done();
delete ntlm;
ntlm=0;
}
if ( krb5 )
{
krb5->Done();
delete krb5;
krb5=0;
}
%}
function forward_ntlm(data: bytestring, is_orig: bool): bool
function forward_blob(val: GSSAPI_NEG_TOKEN_MECH_TOKEN, is_orig: bool): bool
%{
if ( ntlm )
ntlm->DeliverStream(${data}.length(), ${data}.begin(), is_orig);
if ( ${val.mech_token}.length() >= 7 &&
memcmp("NTLMSSP", ${val.mech_token}.begin(), 7) == 0 )
{
// ntlmssp
if ( ! ntlm )
ntlm = analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn());
if ( ntlm )
ntlm->DeliverStream(${val.mech_token}.length(), ${val.mech_token}.begin(), is_orig);
}
else if ( ${val.mech_token}.length() == 9 &&
(memcmp("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02", ${val.mech_token}.begin(), ${val.mech_token}.length()) == 0 ||
memcmp("\x2a\x86\x48\x82\xf7\x12\x01\x02\x02", ${val.mech_token}.begin(), ${val.mech_token}.length()) == 0 ) )
{
// krb5 && ms-krb5
if ( ! krb5 )
krb5 = analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn());
// 0x0100 is a special marker
if ( krb5 && memcmp("\x01\x00", ${val.mech_token}.begin(), 2) == 0 )
{
krb5->DeliverPacket(${val.mech_token}.length()-2, ${val.mech_token}.begin()+2, is_orig, 0, 0, 0);
}
}
return true;
%}
@ -37,7 +70,7 @@ refine connection GSSAPI_Conn += {
}
refine typeattr GSSAPI_NEG_TOKEN_MECH_TOKEN += &let {
fwd: bool = $context.connection.forward_ntlm(mech_token, is_orig);
fwd: bool = $context.connection.forward_blob(this, is_orig);
};
refine typeattr GSSAPI_NEG_TOKEN_RESP_Arg += &let {