]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3a017f6)
Add event rules for Kerberos 5
authorPierre Chifflier <chifflier@wzdftpd.net>
Thu, 19 Apr 2018 11:09:43 +0000 (13:09 +0200)
committerPierre Chifflier <chifflier@wzdftpd.net>
Wed, 13 Jun 2018 08:25:40 +0000 (10:25 +0200)
rules/Makefile.am patch | blob | blame | history
rules/kerberos-events.rules [new file with mode: 0644] patch | blob
rust/src/krb/krb5.rs patch | blob | blame | history
suricata.yaml.in patch | blob | blame | history

diff --git a/rules/Makefile.am b/rules/Makefile.am
index 9deeae5b82ddfc7dd491ad8f54eaa659e8382f8f..1f8ed7a4b32aff74c3eef058610c3bc3bdc6a5f5 100644 (file)
--- a/rules/Makefile.am
+++ b/rules/Makefile.am
@@ -13,4 +13,5 @@ files.rules \
 dnp3-events.rules \
 ntp-events.rules \
 nfs-events.rules \
-ipsec-events.rules
+ipsec-events.rules \
+kerberos-events.rules
diff --git a/rules/kerberos-events.rules b/rules/kerberos-events.rules
new file mode 100644 (file)
index 0000000..5e23958
--- /dev/null
+++ b/rules/kerberos-events.rules
@@ -0,0 +1,8 @@
+# Kerberos app layer event rules
+#
+# SID's fall in the 2226000+ range. See https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayer
+#
+# These sigs fire at most once per connection.
+#
+alert krb5 any any -> any any (msg:"SURICATA Kerberos 5 malformed request data"; flow:to_server; app-layer-event:krb5.malformed_data; classtype:protocol-command-decode; sid:2226000; rev:1;)
+alert krb5 any any -> any any (msg:"SURICATA Kerberos 5 weak cryptographic parameters"; flow:to_client; app-layer-event:krb5.weak_crypto; classtype:protocol-command-decode; sid:2226001; rev:1;)
diff --git a/rust/src/krb/krb5.rs b/rust/src/krb/krb5.rs
index d6573ff861d10dd0f5216d767a8464a3d2b8ced6..7ea6c830762c0a2ceb02833b23a0daf6d0b29ba4 100644 (file)
--- a/rust/src/krb/krb5.rs
+++ b/rust/src/krb/krb5.rs
@@ -377,6 +377,7 @@ pub extern "C" fn rs_krb5_state_get_event_info(event_name: *const libc::c_char,
         Ok(s) => {
             match s {
                 "malformed_data"     => KRB5Event::MalformedData as i32,
+                "weak_crypto"        => KRB5Event::WeakCrypto as i32,
                 _                    => -1, // unknown event
             }
         },
diff --git a/suricata.yaml.in b/suricata.yaml.in
index 98449968f3ecdc05dccaff5205f8a14794cc5172..e82d8b0a416fe6bdefc1192fa0df7b2f2ab5b675 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -110,6 +110,7 @@ default-rule-path: @e_defaultruledir@
 # - dnp3-events.rules       # available in suricata sources under rules dir
 # - ntp-events.rules       # available in suricata sources under rules dir
 # - ipsec-events.rules       # available in suricata sources under rules dir
+# - kerberos-events.rules       # available in suricata sources under rules dir
 
 classification-file: @e_sysconfdir@classification.config
 reference-config-file: @e_sysconfdir@reference.config
Mirror of https://github.com/OISF/suricata.git