Merge branch 'jrolli-gssapi-krb-fix'

* jrolli-gssapi-krb-fix: Cleaned up and moved parsing to binpac. removed check on kerberos request or response type. allow the kerberos analyzer to handle what it can, gssapi shouldn't check this modified GSSAPI analyzer to parse NTLM and KRB tokens Added and verified correct test results Initial btest structure Changes proposed in #104 Addresses #110
2025-10-02 06:38:20 +00:00 · 2018-04-03 01:59:46 -04:00 · 2018-04-03 01:59:46 -04:00 · f7e16a487c
commit f7e16a487c
parent 95fbe150df 3131952762
7 changed files with 57 additions and 13 deletions
--- a/6
+++ b/6
@ -1,4 +1,10 @@

+2.5-498 | 2018-04-03 01:59:46 -0400
+
+  * Improvements to GSSAPI handling of Kerberos messages (John E. Rollinson, Seth Hall, juno0812, Justin Oursler)
+
+  * Improve SMB2 Create command events and add newly parsed data. (Julien Wallior)
+
 2.5-483 | 2018-03-29 14:10:48 -0700

  * Source code clean up (Johanna Amann)
--- a/2
+++ b/2
@ -1 +1 @@
-2.5-483
+2.5-498
--- a/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
+++ b/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
@ -28,28 +28,29 @@ refine connection GSSAPI_Conn += {

 	function forward_blob(val: GSSAPI_NEG_TOKEN_MECH_TOKEN, is_orig: bool): bool
 		%{
-		if ( ${val.mech_token}.length() >= 7 &&
-		     memcmp("NTLMSSP", ${val.mech_token}.begin(), 7) == 0 )
+		if ( ${val.has_ntlm} &&
+		     ${val.ntlm}.length() >= 7 &&
+		     memcmp("NTLMSSP", ${val.ntlm}.begin(), 7) == 0 )
 			{
 			// ntlmssp
 			if ( ! ntlm )
 				ntlm = analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn());

 			if ( ntlm )
-				ntlm->DeliverStream(${val.mech_token}.length(), ${val.mech_token}.begin(), is_orig);
+				ntlm->DeliverStream(${val.ntlm}.length(),
+				                    ${val.ntlm}.begin(), is_orig);
 			}
-		else if ( ${val.mech_token}.length() == 9 &&
-		          (memcmp("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02", ${val.mech_token}.begin(), ${val.mech_token}.length()) == 0 ||
-		           memcmp("\x2a\x86\x48\x82\xf7\x12\x01\x02\x02", ${val.mech_token}.begin(), ${val.mech_token}.length()) == 0 ) )
+
+		else if ( ${val.has_krb} )
 			{
-			// krb5 && ms-krb5
 			if ( ! krb5 )
 				krb5 = analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn());

-			// 0x0100 is a special marker
-			if ( krb5 && memcmp("\x01\x00", ${val.mech_token}.begin(), 2) == 0 )
+			if ( krb5 ) // accepting all KRB types (REQ, REP, etc)
 				{
-				krb5->DeliverPacket(${val.mech_token}.length()-2, ${val.mech_token}.begin()+2, is_orig, 0, 0, 0);
+				krb5->DeliverPacket(${val.krb.blob}.length(),
+				                    ${val.krb.blob}.begin(),
+				                    is_orig, 0, 0, 0);
 				}
 			}

--- a/src/analyzer/protocol/gssapi/gssapi-protocol.pac
+++ b/src/analyzer/protocol/gssapi/gssapi-protocol.pac
@ -50,7 +50,23 @@ type GSSAPI_NEG_TOKEN_RESP_Arg = record {
 };

 type GSSAPI_NEG_TOKEN_MECH_TOKEN(is_orig: bool) = record {
-	meta       : ASN1EncodingMeta;
-	mech_token : bytestring &length=meta.length;
+	meta  : ASN1EncodingMeta;
+	token : bytestring &length=meta.length;
+} &let {
+	ntlm = token &if($context.connection.is_first_byte(token, 0x43));
+	krb : KRB_BLOB withinput token &if($context.connection.is_first_byte(token, 0x60)) &restofdata;
 };

+type KRB_BLOB = record {
+	meta     : ASN1EncodingMeta;
+	oid      : ASN1OctetString;
+	token_id : uint16 &byteorder=littleendian;
+	blob     : bytestring &restofdata;
+};
+
+refine connection GSSAPI_Conn += {
+	function is_first_byte(token: bytestring, byte: uint8): bool
+		%{
+		return token[0] == byte;
+		%}
+};
--- a/testing/btest/Baseline/scripts.base.protocols.krb.smb_gssapi/kerberos.log
+++ b/testing/btest/Baseline/scripts.base.protocols.krb.smb_gssapi/kerberos.log
@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	kerberos
+#open	2017-09-17-21-25-06
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	request_type	client	service	success	error_msg	from	till	cipher	forwardable	renewable	client_cert_subject	client_cert_fuid	server_cert_subject	server_cert_fuid
+#types	time	string	addr	port	addr	port	string	string	string	bool	string	time	time	string	bool	bool	string	string	string	string
+1165958411.822000	CHhAvVGS1DHFjwGM9	10.24.64.228	1227	10.24.8.44	445	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+#close	2017-09-17-21-25-06
--- a/testing/btest/Traces/krb/smb_gssapi.trace
+++ b/testing/btest/Traces/krb/smb_gssapi.trace
--- a/testing/btest/scripts/base/protocols/krb/smb_gssapi.test
+++ b/testing/btest/scripts/base/protocols/krb/smb_gssapi.test
@ -0,0 +1,11 @@
+# This test verifies that GSSAPI is correctly passing events to
+#   the Kerberos analyzer.  The specific trace example is a
+#   SMB authentication event and therfore relies on the SMB
+#   analyzer as well.
+
+# @TEST-EXEC: bro -b -C -r $TRACES/krb/smb_gssapi.trace %INPUT
+# @TEST-EXEC: btest-diff kerberos.log
+# @TEST-EXEC: btest-diff-rst scripts.base.protocols.krb
+
+@load base/protocols/krb
+@load policy/protocols/smb
 @ -1 +1 @@
 .5-483
 .5-498