krb: log for ticket encryption

Also logs if the ticket encryption is weak.
It is different from the encryption used for the rest of the
packet, and this allows to detect kerberoasting attack.

Ticket: #5442

diff --git a/etc/schema.json b/etc/schema.json
index 9debd45893fbec0774b5118147789fe770c26045..cbbd1b192b01f7b56ca329855102afa28ac1210f 100644 (file)
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -1906,6 +1906,12 @@
                 "sname": {
                     "type": "string"
                 },
+                "ticket_encryption": {
+                    "type": "string"
+                },
+                "ticket_weak_encryption": {
+                    "type": "boolean"
+                },
                 "weak_encryption": {
                     "type": "boolean"
                 }

diff --git a/rust/src/krb/krb5.rs b/rust/src/krb/krb5.rs
index 99ad00089a3cb1223570f0a4d248be2ee195fa0b..c7210238e76e4e4e2f9b0fae838edeebcf08aa28 100644 (file)
--- a/rust/src/krb/krb5.rs
+++ b/rust/src/krb/krb5.rs
@@ -75,6 +75,9 @@ pub struct KRB5Transaction {
     /// Encryption used (only in AS-REP and TGS-REP)
     pub etype: Option<EncryptionType>,
 
+    /// Encryption used for ticket
+    pub ticket_etype: Option<EncryptionType>,
+
     /// Error code, if request has failed
     pub error_code: Option<ErrorCode>,
 
@@ -131,6 +134,7 @@ impl KRB5State {
                             tx.cname = Some(kdc_rep.cname);
                             tx.realm = Some(kdc_rep.crealm);
                             tx.sname = Some(kdc_rep.ticket.sname);
+                            tx.ticket_etype = Some(kdc_rep.ticket.enc_part.etype);
                             tx.etype = Some(kdc_rep.enc_part.etype);
                             self.transactions.push(tx);
                             if test_weak_encryption(kdc_rep.enc_part.etype) {
@@ -149,6 +153,7 @@ impl KRB5State {
                             tx.msg_type = MessageType::KRB_TGS_REP;
                             tx.cname = Some(kdc_rep.cname);
                             tx.realm = Some(kdc_rep.crealm);
+                            tx.ticket_etype = Some(kdc_rep.ticket.enc_part.etype);
                             tx.sname = Some(kdc_rep.ticket.sname);
                             tx.etype = Some(kdc_rep.enc_part.etype);
                             self.transactions.push(tx);
@@ -233,6 +238,7 @@ impl KRB5Transaction {
             realm: None,
             sname: None,
             etype: None,
+            ticket_etype: None,
             error_code: None,
             id: id,
             tx_data: applayer::AppLayerTxData::new(),

diff --git a/rust/src/krb/log.rs b/rust/src/krb/log.rs
index e20f36e9b5b37f041a79b6bb1b8a4308a4b663d2..40fc19d1220ce35511ccac50a0982404e214d9a8 100644 (file)
--- a/rust/src/krb/log.rs
+++ b/rust/src/krb/log.rs
@@ -51,6 +51,11 @@ fn krb5_log_response(jsb: &mut JsonBuilder, tx: &mut KRB5Transaction) -> Result<
     jsb.set_string("sname", &sname)?;
     jsb.set_string("encryption", &encryption)?;
     jsb.set_bool("weak_encryption", tx.etype.map_or(false,test_weak_encryption))?;
+    if let Some(x) = tx.ticket_etype {
+        let refs = format!("{:?}", x);
+        jsb.set_string("ticket_encryption", &refs)?;
+        jsb.set_bool("ticket_weak_encryption", test_weak_encryption(x))?;
+    }
 
     return Ok(());
 }