Document Kerberos 5 parsing events

author Pierre Chifflier <chifflier@wzdftpd.net>

Tue, 15 May 2018 14:54:31 +0000 (16:54 +0200)

committer Pierre Chifflier <chifflier@wzdftpd.net>

Wed, 13 Jun 2018 08:25:40 +0000 (10:25 +0200)
author Pierre Chifflier <chifflier@wzdftpd.net>
Tue, 15 May 2018 14:54:31 +0000 (16:54 +0200)
committer Pierre Chifflier <chifflier@wzdftpd.net>
Wed, 13 Jun 2018 08:25:40 +0000 (10:25 +0200)
diff --git a/doc/userguide/rules/kerberos-keywords.rst b/doc/userguide/rules/kerberos-keywords.rst

index 91f4f97e38e91fe400678c7ec71c305daa7c0968..37339feabfed22311a338280f45f3936709bf7bc 100644 (file)
--- a/doc/userguide/rules/kerberos-keywords.rst
+++ b/doc/userguide/rules/kerberos-keywords.rst
@@ -83,3 +83,31 @@ Syntax::
  Signature example::
  
   alert krb5 any any -> any any (msg:"Kerberos 5 error C_PRINCIPAL_UNKNOWN"; krb5_err_code:6; sid:6; rev:1;)
+
+krb5.weak_encryption (event)
+----------------------------
+
+Event raised if the encryption parameters selected by the server are weak or
+deprecated. For example, using a key size smaller than 128, or using deprecated
+ciphers like DES.
+
+Syntax::
+
+ app-layer-event:krb5.weak_encryption
+
+Signature example::
+
+ alert krb5 any any -> any any (msg:"SURICATA Kerberos 5 weak encryption parameters"; flow:to_client; app-layer-event:krb5.weak_encryption; classtype:protocol-command-decode; sid:2226001; rev:1;)
+
+krb5.malformed_data (event)
+---------------------------
+
+Event raised in case of a protocol decoding error.
+
+Syntax::
+
+ app-layer-event:krb5.malformed_data
+
+Signature example::
+
+ alert krb5 any any -> any any (msg:"SURICATA Kerberos 5 malformed request data"; flow:to_server; app-layer-event:krb5.malformed_data; classtype:protocol-command-decode; sid:2226000; rev:1;)
author	Pierre Chifflier <chifflier@wzdftpd.net>
	Tue, 15 May 2018 14:54:31 +0000 (16:54 +0200)
committer	Pierre Chifflier <chifflier@wzdftpd.net>
	Wed, 13 Jun 2018 08:25:40 +0000 (10:25 +0200)