krb5: use req_type instead of msg_type to get request type

diff --git a/rust/src/krb/krb5.rs b/rust/src/krb/krb5.rs
index 42028794cfa9dae2269933295faa0c6c4c55fe03..69c89461d2d71bd80c176544b9eb7d42fbca810e 100644 (file)
--- a/rust/src/krb/krb5.rs
+++ b/rust/src/krb/krb5.rs
@@ -82,6 +82,9 @@ pub struct KRB5Transaction {
     /// Error code, if request has failed
     pub error_code: Option<ErrorCode>,
 
+    /// Message type of request. For using in responses.
+    pub req_type: Option<MessageType>,
+
     /// The internal transaction id
     id: u64,
 
@@ -149,6 +152,11 @@ impl KRB5State {
                         if let Ok((_,kdc_rep)) = res {
                             let mut tx = self.new_tx(direction);
                             tx.msg_type = MessageType::KRB_AS_REP;
+                            if self.req_id > 0 {
+                                // set request type only if previous message
+                                // was a request
+                                tx.req_type = Some(MessageType(self.req_id.into()));
+                            }
                             tx.cname = Some(kdc_rep.cname);
                             tx.realm = Some(kdc_rep.crealm);
                             tx.sname = Some(kdc_rep.ticket.sname);
@@ -179,6 +187,11 @@ impl KRB5State {
                         if let Ok((_,kdc_rep)) = res {
                             let mut tx = self.new_tx(direction);
                             tx.msg_type = MessageType::KRB_TGS_REP;
+                            if self.req_id > 0 {
+                                // set request type only if previous message
+                                // was a request
+                                tx.req_type = Some(MessageType(self.req_id.into()));
+                            }
                             tx.cname = Some(kdc_rep.cname);
                             tx.realm = Some(kdc_rep.crealm);
                             tx.ticket_etype = Some(kdc_rep.ticket.enc_part.etype);
@@ -201,6 +214,11 @@ impl KRB5State {
                         let res = krb5_parser::parse_krb_error(i);
                         if let Ok((_,error)) = res {
                             let mut tx = self.new_tx(direction);
+                            if self.req_id > 0 {
+                                // set request type only if previous message
+                                // was a request
+                                tx.req_type = Some(MessageType(self.req_id.into()));
+                            }
                             tx.msg_type = MessageType::KRB_ERROR;
                             tx.cname = error.cname;
                             tx.realm = error.crealm;
@@ -268,6 +286,7 @@ impl KRB5Transaction {
             etype: None,
             ticket_etype: None,
             error_code: None,
+            req_type: None,
             id,
             tx_data: applayer::AppLayerTxData::for_direction(direction),
         };

diff --git a/rust/src/krb/log.rs b/rust/src/krb/log.rs
index 40fc19d1220ce35511ccac50a0982404e214d9a8..427876ad7e3cb382a61c68b19d3d66fb369fb507 100644 (file)
--- a/rust/src/krb/log.rs
+++ b/rust/src/krb/log.rs
@@ -24,8 +24,15 @@ fn krb5_log_response(jsb: &mut JsonBuilder, tx: &mut KRB5Transaction) -> Result<
 {
     match tx.error_code {
         Some(c) => {
-            jsb.set_string("msg_type", "KRB_ERROR")?;
-            jsb.set_string("failed_request", &format!("{:?}", tx.msg_type))?;
+            jsb.set_string("msg_type", &format!("{:?}", tx.msg_type))?;
+            if let Some(req_type) = tx.req_type {
+                jsb.set_string("failed_request", &format!("{:?}", req_type))?;
+            } else {
+                // In case we capture the response but not the request
+                // we can't know the failed request type, since it could be
+                // AS-REQ or TGS-REQ
+                jsb.set_string("failed_request", "UNKNOWN")?;
+            }
             jsb.set_string("error_code", &format!("{:?}", c))?;
         },
         None    => { jsb.set_string("msg_type", &format!("{:?}", tx.msg_type))?; },