From: Pierre Chifflier Date: Thu, 19 Apr 2018 11:09:43 +0000 (+0200) Subject: Add event rules for Kerberos 5 X-Git-Tag: suricata-4.1.0-rc1~68 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6ae53a1869a40d5471dfa6fe39f726c0d270012b;p=thirdparty%2Fsuricata.git Add event rules for Kerberos 5 --- diff --git a/rules/Makefile.am b/rules/Makefile.am index 9deeae5b82..1f8ed7a4b3 100644 --- a/rules/Makefile.am +++ b/rules/Makefile.am @@ -13,4 +13,5 @@ files.rules \ dnp3-events.rules \ ntp-events.rules \ nfs-events.rules \ -ipsec-events.rules +ipsec-events.rules \ +kerberos-events.rules diff --git a/rules/kerberos-events.rules b/rules/kerberos-events.rules new file mode 100644 index 0000000000..5e23958cbe --- /dev/null +++ b/rules/kerberos-events.rules @@ -0,0 +1,8 @@ +# Kerberos app layer event rules +# +# SID's fall in the 2226000+ range. See https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayer +# +# These sigs fire at most once per connection. +# +alert krb5 any any -> any any (msg:"SURICATA Kerberos 5 malformed request data"; flow:to_server; app-layer-event:krb5.malformed_data; classtype:protocol-command-decode; sid:2226000; rev:1;) +alert krb5 any any -> any any (msg:"SURICATA Kerberos 5 weak cryptographic parameters"; flow:to_client; app-layer-event:krb5.weak_crypto; classtype:protocol-command-decode; sid:2226001; rev:1;) diff --git a/rust/src/krb/krb5.rs b/rust/src/krb/krb5.rs index d6573ff861..7ea6c83076 100644 --- a/rust/src/krb/krb5.rs +++ b/rust/src/krb/krb5.rs @@ -377,6 +377,7 @@ pub extern "C" fn rs_krb5_state_get_event_info(event_name: *const libc::c_char, Ok(s) => { match s { "malformed_data" => KRB5Event::MalformedData as i32, + "weak_crypto" => KRB5Event::WeakCrypto as i32, _ => -1, // unknown event } }, diff --git a/suricata.yaml.in b/suricata.yaml.in index 98449968f3..e82d8b0a41 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -110,6 +110,7 @@ default-rule-path: @e_defaultruledir@ # - dnp3-events.rules # available in suricata sources under rules dir # - ntp-events.rules # available in suricata sources under rules dir # - ipsec-events.rules # available in suricata sources under rules dir +# - kerberos-events.rules # available in suricata sources under rules dir classification-file: @e_sysconfdir@classification.config reference-config-file: @e_sysconfdir@reference.config