Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 18:48:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Kerberos: Fix parsing of the cipher in tickets, and add it to the log.

Browse source
This commit is contained in:
Vlad Grigorescu 2015-02-06 11:48:46 -05:00
parent 5bba7ad1eb
commit dfc42ffe8a
3 changed files with 39 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

23
scripts/base/protocols/krb/consts.bro
View file

@ -73,4 +73,27 @@ export {
[76] = "KDC_ERR_KDC_NAME_MISMATCH",
};
const cipher_name: table[count] of string = {
[1] = "des-cbc-crc",
[2] = "des-cbc-md4",
[3] = "des-cbc-md5",
[5] = "des3-cbc-md5",
[7] = "des3-cbc-sha1",
[9] = "dsaWithSHA1-CmsOID",
[10] = "md5WithRSAEncryption-CmsOID",
[11] = "sha1WithRSAEncryption-CmsOID",
[12] = "rc2CBC-EnvOID",
[13] = "rsaEncryption-EnvOID",
[14] = "rsaES-OAEP-ENV-OID",
[15] = "des-ede3-cbc-Env-OID",
[16] = "des3-cbc-sha1-kd",
[17] = "aes128-cts-hmac-sha1-96",
[18] = "aes256-cts-hmac-sha1-96",
[23] = "rc4-hmac",
[24] = "rc4-hmac-exp",
[25] = "camellia128-cts-cmac",
[26] = "camellia256-cts-cmac",
[65] = "subkey-keymaterial",
};
}

3
scripts/base/protocols/krb/main.bro
View file

@ -22,6 +22,8 @@ export {
from: time &log &optional;
## Ticket valid till
till: time &log &optional;
## Ticket encryption type
cipher: string &log &optional;
## Forwardable ticket requested
forwardable: bool &log &optional;
## Proxiable ticket requested
@ -241,6 +243,7 @@ event krb_tgs_response(c: connection, msg: KDC_Response) &priority=5
info$client = fmt("%s/%s", msg$client_name, msg$client_realm);
info$service = msg$ticket$service_name;
info$cipher = cipher_name[msg$ticket$cipher];
info$success = T;
c$krb = info;

4
src/analyzer/protocol/krb/krb-types.pac
View file

@ -92,7 +92,7 @@ RecordVal* proc_ticket(const KRB_Ticket* ticket)
rv->Assign(0, asn1_integer_to_val(ticket->tkt_vno()->data(), TYPE_COUNT));
rv->Assign(1, bytestring_to_val(ticket->realm()->data()->content()));
rv->Assign(2, GetStringFromPrincipalName(ticket->sname()));
rv->Assign(3, asn1_integer_to_val(ticket->enc_part()->etype()->data(), TYPE_COUNT));
rv->Assign(3, asn1_integer_to_val(ticket->enc_part()->data()->etype()->data(), TYPE_COUNT));
return rv;
}
@ -134,7 +134,7 @@ type KRB_Ticket(in_sequence: bool) = record {
realm : SequenceElement(true);
sname_meta: ASN1EncodingMeta;
sname : KRB_Principal_Name &length=sname_meta.length;
enc_part : KRB_Encrypted_Data;
enc_part : KRB_Encrypted_Data_in_Seq;
};
type KRB_Ticket_Sequence = record {