From: Philippe Antoine <contact@catenacyber.fr>
Date: Fri, 22 Jul 2022 15:20:58 +0000 (+0200)
Subject: krb: log for ticket encryption
X-Git-Tag: suricata-7.0.0-beta1~312
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=64b2385c645400309f69b5acc12f97fe9f518b83;p=thirdparty%2Fsuricata.git

krb: log for ticket encryption

Also logs if the ticket encryption is weak.
It is different from the encryption used for the rest of the
packet, and this allows to detect kerberoasting attack.

Ticket: #5442
---

diff --git a/etc/schema.json b/etc/schema.json
index 9debd45893..cbbd1b192b 100644
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -1906,6 +1906,12 @@
                 "sname": {
                     "type": "string"
                 },
+                "ticket_encryption": {
+                    "type": "string"
+                },
+                "ticket_weak_encryption": {
+                    "type": "boolean"
+                },
                 "weak_encryption": {
                     "type": "boolean"
                 }
diff --git a/rust/src/krb/krb5.rs b/rust/src/krb/krb5.rs
index 99ad00089a..c7210238e7 100644
--- a/rust/src/krb/krb5.rs
+++ b/rust/src/krb/krb5.rs
@@ -75,6 +75,9 @@ pub struct KRB5Transaction {
     /// Encryption used (only in AS-REP and TGS-REP)
     pub etype: Option<EncryptionType>,
 
+    /// Encryption used for ticket
+    pub ticket_etype: Option<EncryptionType>,
+
     /// Error code, if request has failed
     pub error_code: Option<ErrorCode>,
 
@@ -131,6 +134,7 @@ impl KRB5State {
                             tx.cname = Some(kdc_rep.cname);
                             tx.realm = Some(kdc_rep.crealm);
                             tx.sname = Some(kdc_rep.ticket.sname);
+                            tx.ticket_etype = Some(kdc_rep.ticket.enc_part.etype);
                             tx.etype = Some(kdc_rep.enc_part.etype);
                             self.transactions.push(tx);
                             if test_weak_encryption(kdc_rep.enc_part.etype) {
@@ -149,6 +153,7 @@ impl KRB5State {
                             tx.msg_type = MessageType::KRB_TGS_REP;
                             tx.cname = Some(kdc_rep.cname);
                             tx.realm = Some(kdc_rep.crealm);
+                            tx.ticket_etype = Some(kdc_rep.ticket.enc_part.etype);
                             tx.sname = Some(kdc_rep.ticket.sname);
                             tx.etype = Some(kdc_rep.enc_part.etype);
                             self.transactions.push(tx);
@@ -233,6 +238,7 @@ impl KRB5Transaction {
             realm: None,
             sname: None,
             etype: None,
+            ticket_etype: None,
             error_code: None,
             id: id,
             tx_data: applayer::AppLayerTxData::new(),
diff --git a/rust/src/krb/log.rs b/rust/src/krb/log.rs
index e20f36e9b5..40fc19d122 100644
--- a/rust/src/krb/log.rs
+++ b/rust/src/krb/log.rs
@@ -51,6 +51,11 @@ fn krb5_log_response(jsb: &mut JsonBuilder, tx: &mut KRB5Transaction) -> Result<
     jsb.set_string("sname", &sname)?;
     jsb.set_string("encryption", &encryption)?;
     jsb.set_bool("weak_encryption", tx.etype.map_or(false,test_weak_encryption))?;
+    if let Some(x) = tx.ticket_etype {
+        let refs = format!("{:?}", x);
+        jsb.set_string("ticket_encryption", &refs)?;
+        jsb.set_bool("ticket_weak_encryption", test_weak_encryption(x))?;
+    }
 
     return Ok(());
 }