Kerberos: Fix parsing of the cipher in tickets, and add it to the log.

scripts/base/protocols/krb/consts.bro

@@ -3,16 +3,16 @@ module KRB;
 export {
 
 	const error_msg: table[count] of string = {
-		[0]	 = "KDC_ERR_NONE",
+		[0] = "KDC_ERR_NONE",
-		[1]	 = "KDC_ERR_NAME_EXP",
+		[1] = "KDC_ERR_NAME_EXP",
-		[2]	 = "KDC_ERR_SERVICE_EXP",
+		[2] = "KDC_ERR_SERVICE_EXP",
-		[3]	 = "KDC_ERR_BAD_PVNO",
+		[3] = "KDC_ERR_BAD_PVNO",
-		[4]	 = "KDC_ERR_C_OLD_MAST_KVNO",
+		[4] = "KDC_ERR_C_OLD_MAST_KVNO",
-		[5]	 = "KDC_ERR_S_OLD_MAST_KVNO",
+		[5] = "KDC_ERR_S_OLD_MAST_KVNO",
-		[6]	 = "KDC_ERR_C_PRINCIPAL_UNKNOWN",
+		[6] = "KDC_ERR_C_PRINCIPAL_UNKNOWN",
-		[7]	 = "KDC_ERR_S_PRINCIPAL_UNKNOWN",
+		[7] = "KDC_ERR_S_PRINCIPAL_UNKNOWN",
-		[8]	 = "KDC_ERR_PRINCIPAL_NOT_UNIQUE",
+		[8] = "KDC_ERR_PRINCIPAL_NOT_UNIQUE",
-		[9]	 = "KDC_ERR_NULL_KEY",
+		[9] = "KDC_ERR_NULL_KEY",
 		[10] = "KDC_ERR_CANNOT_POSTDATE",
 		[11] = "KDC_ERR_NEVER_VALID",
 		[12] = "KDC_ERR_POLICY",
@@ -73,4 +73,27 @@ export {
 		[76] = "KDC_ERR_KDC_NAME_MISMATCH",
 	};
 
+	const cipher_name: table[count] of string = {
+		[1] = "des-cbc-crc",
+		[2] = "des-cbc-md4",
+		[3] = "des-cbc-md5",
+		[5] = "des3-cbc-md5",
+		[7] = "des3-cbc-sha1",
+		[9] = "dsaWithSHA1-CmsOID",
+		[10] = "md5WithRSAEncryption-CmsOID",
+		[11] = "sha1WithRSAEncryption-CmsOID",
+		[12] = "rc2CBC-EnvOID",
+		[13] = "rsaEncryption-EnvOID",
+		[14] = "rsaES-OAEP-ENV-OID",
+		[15] = "des-ede3-cbc-Env-OID",
+		[16] = "des3-cbc-sha1-kd",
+		[17] = "aes128-cts-hmac-sha1-96",
+		[18] = "aes256-cts-hmac-sha1-96",
+		[23] = "rc4-hmac",
+		[24] = "rc4-hmac-exp",
+		[25] = "camellia128-cts-cmac",
+		[26] = "camellia256-cts-cmac",
+		[65] = "subkey-keymaterial",
+	};	
+
 }

scripts/base/protocols/krb/main.bro

@@ -22,6 +22,8 @@ export {
 		from:			time &log &optional;
 		## Ticket valid till
 		till:			time &log &optional;
+		## Ticket encryption type
+		cipher:			string &log &optional;
 		## Forwardable ticket requested
 		forwardable: 		bool &log &optional;
 		## Proxiable ticket requested
@@ -241,6 +243,7 @@ event krb_tgs_response(c: connection, msg: KDC_Response) &priority=5
 		info$client = fmt("%s/%s", msg$client_name, msg$client_realm);
 
 	info$service = msg$ticket$service_name;
+	info$cipher  = cipher_name[msg$ticket$cipher];
 	info$success = T;
 		
 	c$krb = info;
@@ -256,4 +259,4 @@ event connection_state_remove(c: connection) &priority=-5
 	{
 	if ( c?$krb && ! c$krb$logged )
 		Log::write(KRB::LOG, c$krb);
-	}
+	}

src/analyzer/protocol/krb/krb-types.pac

@@ -92,7 +92,7 @@ RecordVal* proc_ticket(const KRB_Ticket* ticket)
 	rv->Assign(0, asn1_integer_to_val(ticket->tkt_vno()->data(), TYPE_COUNT));
 	rv->Assign(1, bytestring_to_val(ticket->realm()->data()->content()));
 	rv->Assign(2, GetStringFromPrincipalName(ticket->sname()));
-	rv->Assign(3, asn1_integer_to_val(ticket->enc_part()->etype()->data(), TYPE_COUNT));
+	rv->Assign(3, asn1_integer_to_val(ticket->enc_part()->data()->etype()->data(), TYPE_COUNT));
 
 	return rv;
 }
@@ -134,7 +134,7 @@ type KRB_Ticket(in_sequence: bool) = record {
 	realm	  : SequenceElement(true);
 	sname_meta: ASN1EncodingMeta;
 	sname	  : KRB_Principal_Name &length=sname_meta.length;
-	enc_part  : KRB_Encrypted_Data;
+	enc_part  : KRB_Encrypted_Data_in_Seq;
 };
 
 type KRB_Ticket_Sequence = record {