From: Pierre Chifflier <chifflier@wzdftpd.net>
Date: Tue, 15 May 2018 14:54:31 +0000 (+0200)
Subject: Document Kerberos 5 parsing events
X-Git-Tag: suricata-4.1.0-rc1~63
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c51ff32adb870dbb5f0ae38ea0595c73c4cd6484;p=thirdparty%2Fsuricata.git

Document Kerberos 5 parsing events
---

diff --git a/doc/userguide/rules/kerberos-keywords.rst b/doc/userguide/rules/kerberos-keywords.rst
index 91f4f97e38..37339feabf 100644
--- a/doc/userguide/rules/kerberos-keywords.rst
+++ b/doc/userguide/rules/kerberos-keywords.rst
@@ -83,3 +83,31 @@ Syntax::
 Signature example::
 
  alert krb5 any any -> any any (msg:"Kerberos 5 error C_PRINCIPAL_UNKNOWN"; krb5_err_code:6; sid:6; rev:1;)
+
+krb5.weak_encryption (event)
+----------------------------
+
+Event raised if the encryption parameters selected by the server are weak or
+deprecated. For example, using a key size smaller than 128, or using deprecated
+ciphers like DES.
+
+Syntax::
+
+ app-layer-event:krb5.weak_encryption
+
+Signature example::
+
+ alert krb5 any any -> any any (msg:"SURICATA Kerberos 5 weak encryption parameters"; flow:to_client; app-layer-event:krb5.weak_encryption; classtype:protocol-command-decode; sid:2226001; rev:1;)
+
+krb5.malformed_data (event)
+---------------------------
+
+Event raised in case of a protocol decoding error.
+
+Syntax::
+
+ app-layer-event:krb5.malformed_data
+
+Signature example::
+
+ alert krb5 any any -> any any (msg:"SURICATA Kerberos 5 malformed request data"; flow:to_server; app-layer-event:krb5.malformed_data; classtype:protocol-command-decode; sid:2226000; rev:1;)