From 8bb6e851837f9d9cd2e5deaf6743654a3df7caf8 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Eloy=20P=C3=A9rez=20Gonz=C3=A1lez?= <zer1t0ps@protonmail.com>
Date: Fri, 22 Oct 2021 12:44:03 +0200
Subject: [PATCH] Adds test for krb5_msg_type keyword

---
 tests/krb5-krb5_msg_type/README.md  |   3 ++
 tests/krb5-krb5_msg_type/input.pcap | Bin 0 -> 14997 bytes
 tests/krb5-krb5_msg_type/test.rules |   5 ++++
 tests/krb5-krb5_msg_type/test.yaml  |  42 ++++++++++++++++++++++++++++
 4 files changed, 50 insertions(+)
 create mode 100644 tests/krb5-krb5_msg_type/README.md
 create mode 100644 tests/krb5-krb5_msg_type/input.pcap
 create mode 100644 tests/krb5-krb5_msg_type/test.rules
 create mode 100644 tests/krb5-krb5_msg_type/test.yaml

diff --git a/tests/krb5-krb5_msg_type/README.md b/tests/krb5-krb5_msg_type/README.md
new file mode 100644
index 000000000..7ceaa054b
--- /dev/null
+++ b/tests/krb5-krb5_msg_type/README.md
@@ -0,0 +1,3 @@
+# PCAP
+
+The pcap included contains kerberos traffic generated from a Windows server 2019 with the klist tool.
diff --git a/tests/krb5-krb5_msg_type/input.pcap b/tests/krb5-krb5_msg_type/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..7b04515521b81f7e7d5990940f2f6185b785b8d7
GIT binary patch
literal 14997
zc-rln2Q*x5yZ2|t5WV+Kv}l<if*?vnMDM+a5Q1n)bb}DRL=Dk<mmowhQGyUHS|oaj
z9#O-$hm-e7@yz?4b=Fzyd}}?k*0#pj`?s(A+V_3^ufKZ+n#)olASmds7Zd~rets|L
zGa54lf%rkE2c#qE+ZG)1H2ii@H9ANN1Y#3-D+cmH1Az+YJ|+Rjv*wm26di-S+^tXJ
zWl99}_#{!MlzyY1C@0sSvQ8=L`v^*yK7xQCHK8=OAP4{{PYIu%fOhVbLS&4Ta&SV?
zJCi~HP-agl48}-D)OF^F@&M8cAeNI6VHfrpaV<kZ5&%KsPYMLYC(!*Hr5&WTjys@;
z$gNk?{yIrAa1|8wB^U(-9Snv-5JcH8KM{W&9Y9n+JQ<z*kI{j&n%iU4MX~{^l9$Ty
z@nPqmL|cG}WTZW3#;62PbAXW&{}?G8ppXO80df33QZS~#J0uixdSX(ilL__luJ;(s
z`$H-U1dN&n{J=~nff2z7QlStC$SVy4dJcw~f&vB~XL!Gad6%Y~LqP?Jd4up%31Rpt
z!0F&r4A?m;RC`+!OPe%oDojajIVlx!ZaHy@bUGLf;tWVCDU6s3&C1@y@s8uqCu9<k
z<MF_FufPN^@xplc1YnnSvi|%i8w~>0#>A@30VohKAp}eYfgHO+z+MnAIq>dLE)9$d
zMuE5yaVjAcUsDx!iT<Y-B2V^fP|zVT)Wfr$->Uj|M4mz;e|vs8>$rnFh&-)!oaCv=
z!@C~lU4yt0Dk53587HywT!QiQ@W2FluJFNhGEpHY7>oE>z@I5{e@RB(ze`4e3DgK?
z0K1An6Q%J%d0;RYIpPY!R01lzzs@^JG~$r}iGZP{KoQ9}{nZPGfw&lw27!W3-{SxE
z77y_jk&Bu&q%*JgtT{8t6QeF_1FTe{A2UyP9g1wdADyfS?O!u0Y6FmX5%ZUt;gsTz
zoN|0Z(K?et3<3#XI;CW<BVF%(zm2E^q_w<PWQlCOYiuA}?;4<!xMY5ct0T#t!~vk*
zMXYz}@jr={8%VSM{>&Kf0#wJJ*SiNmu>jV(#aZiJN1z`G1+m^+5n~2(--UzOVQ?_Z
zPb=OOW(<=%ojg)dNtpP_yh{^;3QX5<j$=`F@joQL7KWa7)sW?jrLO(g5W)U?In>V6
zNjbq6>2<a1=6WYeZZCAdF;NSGT)mP<DlG7SuYQ#L59&wpS14!+6?Ag^J|9rWHNc3x
zKS}v*J~%G#6(=H|-oXqa@2DTF;HU#IIBM^|DhO8E1sE%g`E<q8LaAYtf4}0>e@RWo
z8Oh6pLn)2nP*NBiN_cvUUoJ`eciBvbqm07fC_|?aoXiC{N;?#e(vnjq7MD5`ci6}d
z4zMkKb3L_8K>7ot%@l6*w6=$cX~EYK2b((jy#s7C@y8`FtR?*PKwCM~q2<AC%f-jN
zoYEXtOX|4b{AY&Em8mXYrDS`sQ$|=y5>}5b@Awh0j+pYC%htR+%FDF)>f-Zahu&K;
z8jF+UV}h3<{M?T*joj{9-!g~$V{x0<!EiLLKx(oXHppl2KWcDr2br~FNv=l3n;2&v
z^^f$Ua|bX6>?FBFnhEPT#SjHtOVu5;lcve@&8g&E*ebU9mf<i?$K|$Q{i%3N7XN98
zXU#=LjESU+A?@<*MxSowC}O_qR7vZ1{T7FT_DKq5L!2m>xRpz~C%xxVW0`!AAwKMW
zpH}3{7`yVy@`<?mRAq;b_yaf9;fGK<722fk;E+f6-px0AgghUmwzkz<dX8JwXj4r7
zS-NbL9wf|GQ#Khpocc`X*~h@+HFn~ycg4ink8K2>hw6HARD_vfE3Zq@M}C8dMQ53s
zMKley8rEn#7gW@~eo^UqVgK;F$qu;~%RJdqSyrUw>f)DWLlN_EMSq(2l#I(aF^!JI
zH{vkDO-%CR3v8M{vnxlr$8icZ#$B265T(LbzfdsHpLKpNe8<z&U~{|W_Pp5}Tr02X
zFS)c_4?@ZAVQ{&Nb6c1|pX98#Nd?fd5aEeiF}4(O=hQzY$TrydaJ5CoD8Ys(?a9&1
zN)nv%UIOnE8k%ts36X!ih6Z+xd9t>2UZlS@;q*fmy>~LvsREd_)A5()P5mvS3Km^D
z%e#*-X<yj*(eF`|^Isl$t-UF>mHfotQqA_e;ycuaTQb;7TONrTeA90ZiR$JOINcMv
zAZD+-ttE;Hr_qYI@o=GUTOJWMT4LOHWaQdcYfQG&jC+xm{VD!^;?l4)d+QPonk9A2
z@p6(*3h!NZ<w*vkJF}vX&Ca<C=4Dq{(<<C(P%Hu2WwMoJZt_jywhp}rFzUm0s+8x$
zXG*#38^S!|J{vFHjiy|7SLF8n)u_sttx2jiJcIbj2X6TUUMfqX=-c^{Z=GE<0=(MF
zq+~n~xyU=B@DeE{*guf2*tREONZDxLkgEh`71q|^9&gN(;FRs&Se<HMrFr6u<_Gh)
zbQnT?-ro|H^uf5ryW3v{-NgCc_0qsdwB7e*`se((T^jneK8<Zk?Fm%bM>S<y55(HF
z-_~G}zVh6!VCCio(bRNTL)Q1{FA}KRw?xW{JAx~0xf-xKzJ32zx)^kfU8)Xy9kKS2
zZt`GKCZ!g7(P`3Hc8~RYiB4SK`LzMrneXVm8|KwnaIhv&^i_Xe-C!vw94uaYhxlek
zqoxJ?;Id<G+=NuWovIzJ1Dj93ePYk^u6zCx$E)_!dNa_ptC4O}+_-UBZ;r0DQ71(_
zQytT!H|{;}LOv|HTean&xuEuOg0r=J8c(5}A%gAEh4rE3D+IJtUJp8JIN$Fo;@HCC
zyQ5K7GQ{FW`V9AB1dRST+2MSyOcL@86dU(sQ?#m39|jhXza$*3yn0MNp$gAW*BSk|
zY>9$OUgqHkhY3LOA~)NpEad6T&oe!Un86xY5|EP^mo2*?_xXMG-K5=hxq2P*%-Dts
z(+J^Dfm$8zwW;RW%#$>YA;PP=!sypAMI!LZ&%wJJ9JLO~XR#jgL|Tuv)eWlg=rbtE
zcL#XN#)QdfMJW_AgN@lR6kC5(egmL-8=Tb%C}}`WIsuMfD?b(6N#zF=x1AjX%1@^%
zU-*1)cXW8i?a)=1GIFv(DiMd|{tFk`9ajR(h?xd%JpA$uQN-Qaz9Q`s2F}v=;zZz%
zN<ViA>&PjCNGJq<Q5v_Ac2z^aQ940dRw6y;kablH+sL{-4V05ys{NKrB_OsW#ORE>
zPUHGF6zB;>^-K!TGkTAoQY^nA?eI`fDA#|YbV3Wm(18)6BRahH3xAHz;TzJd51*MY
zbbyNS^Rx2-C^Eo#h~xLHqg@sFfP@0fHxf@o{?YKP;b>SeING^?b$Hn6aOeTh80-MY
zIO0=q8XVdWg+t%jz@cw}58M9Ll;EZzIyA&9{hx;7pN8U}hT@-w;>?C3!#fJ*9e!#Q
zy#t`$eybVsl3f=+br5cE)FyI_ZgtYIkJ=R-Y@XZqUP@}inQ!Y#&DCeqyJfL{<mLaA
z`F?WG3ri;P?OC5G!u3f`MlbDiUb^J$c=ziY{HVO1TC|3LrjuLE;s;l|MP0rhxwtPu
zX#1c&Pd@fsYI{}j5EhMvuTk_Xk0I64<huc5n8%~roI|Z^Fp?ABnVp6M#e!j+noXdT
zWq2RJymx<iPtb2ZlMF_3TF7u=*i=yK+s1ZO(A%c4OPPObCPQ)n19oC22@rnr)JW!e
z$H2U!{wpIvQ15{JE9+mVdWS&m(+uY)efH+LJ(S&2NoQFMGWo5ZZH$#bK`4UU^dZ8*
za;c)X%CjwG)^`dqF3IRw^+{VtdL<R3U!p*(Bd=VI>w-NFol{t26*ub}dn8Cmei?(*
zO)|umlhe{RAXWulv7>!RV}vIm!NO6qf}@}q&5XJQRlq%vapo1aNcyOW5Ek(rq_T;2
zB6!Nb2_A-($N&{Wo~B7o<tcF=sS!SRVuTa^j`AVuM4nLZ!O_5g5&r%!&B6JP+-)Kt
zMsa``Jv~c|{_Yt9B6b_N#^_%ngaRm^3ZQ%n^bEl-JkvWzx1>qw&B*UkYgVK@|4wfA
zp7cTAN66*Az<3N-_xoxKy?k!c*R*~0g!bAm-WApn^VUrLwqmg9I_L5&v)}ugmtt<}
z;Ehxjcw;V+RKQc4${6<QYeWaLV_&+HzKNRKO^9&YdbckRPTgy|=Xew4VfXl3$EbAP
zx;smxnqh1=>M!^#cgu7sUnRCrHD-|(p@~+KJiIctNuwXhCQEyba!HXE?i8;2AZEsc
zm=dCzT%pHY5Zj&9;%*ggKa|$vT4dDYjp0HPd{oKqkg<QeOnWESpE$g6X~*S5d|6;%
z%md30rSXtz8zZv45?|lkc%l1S*%eynHSKVM4DIlwd0kX4&EIhnLSqeC+dW(kBAxbl
z4T)=X%&wSV+f4w=8$<D(+4(9dAO;rq-7{_#y~P%3mrb%bSW3$CA!rSEe4Be?vs-YF
zWqUexaVW$Rtfw3w_FZj2Tvv|$m5Jr`o7;~R2FizIt~!d!u&1x1KcSK4tH$YppW7e@
zqrEiPl&KY<PBW{P;WD%a`8v}3GSZPNeGzwmYr}sG6FlS#62WC0pX(&#HsYk9nABYE
z3Tmks=TTaIg)^l*{dT0PuX;g2rj_*DChdN$^+@q>TVc@V?lyOy#fR-C6G@VIon21N
z8v1h;WAX06M_t1ZnoJkI6$r7xvlk<}Q(wc!FwQp~riHn=t!NW-&!QBi4C%0i1@m38
zZ(>pTLJs}7;6T{jGc|?+=7lKV^HG<e#H@x5J060V#Rtb%l&vj&dqW5k-<1l)V{m+G
z3MEz%^0K{n*Ry!<_+4M$T2#7H^mk_y3qR@zmFj^}$BwRiX(EARR~_1b7?mxBW+D54
zrCFg2?ZoqU>sSJ^jL7Stq#HZxRpvP_mm2b~EYxRdZ9II^kvcOI&1Cfz7cOIDl0<b$
zDBm_!qU&}<R|AS}=;QtJ7!7^Kl$CO=irS8kZE;4G5(bcz&x!5WuB0#c!kXxuwi4}^
z1&z4-hrK}QGOYL=VGh<fSY~dm1V^x)xf?vZ)?aCFo02@~iB(`TI^JTtwUEcc%1ax4
zL&;>0Q%bGEpWwc};Z0bmJ+tHBgyXTvwksY#C$=2As+{$OxUG@z;v4&79h#K<>WeJ7
z4L5sU>m*3k&Kr|_S!exZn7<}ZP}`R8S^nnT{=m?el&!(`g6CyYa4O#k=|Z-$Dk9K0
zuG`mJ!a{n+P=N;wvLL<kqX!G$BS{nvZi_U(b|U^5{(w<=6AMaKX}$GMfK<3TW=@v#
z{1Z*W-tcQnk@Dwwg<OWZh4HTk_V97njO<I?SyjS$#c@D{VkofdH$BeWG;U~iL>+<V
zEIh0f;1gHB&V_f=Z#?|MW$F3OR2wPMVhzRDU-9Vc-V(=r{y65G+8DyPnm{3Nr=D9o
zg{^dz;F?&anvLaHIHzcoh??bFb-EHVWjUcK%UV_n7h_`X-M3#_NWFBAYdn^`UtQ7x
z{52QguP>aIe>j*Pu-4R1)EM98UDaAPt*m_dwTo#w-nk#F%`dMcL2`Z(>odA6`zWos
zuK7{GyQHI0bti@lkU2*5)<A4Si37Dy0r8i&3JZm?g;y5CC!H`4GT#Rt^S8Rw#OYjV
ziz-C-cr$CplZm4gib5pG$0VYe#Uq;fc_&IEJ8YY1BB!hGKuT1JD}f@_X~q<s-g#cC
zdur9itIpCXxp*#8r|7yePt3QzqrDV;*VnDwM}yk+FP-lswCF4>G(V8E^2Ph2@6Kg-
zbpnfYAH`+n@{h_N1XS;!vka5F2Kvbs%I>d~|7q<><p+#OJT3@yY|qG-9V7NOQBuFz
z6>HLsA&VT1iyfa#a!N4#x~tC0t&6hm?S}JR1X!C5K|>f>_>hO9A<Yf6dN$;>1!CMC
za%P_|k_h2sb0j{tjM^e8%JPYOWQ+(ccOR+q8a>N14NyS~qX~a@UhT*!V@N1Jxn`XM
zq%w<fBC`s=rYV{bAW<V?nZWvwD42ijH~vKdJnnZY5Qqq%2z>%0bMWK8jp!{%%bBAr
z`R^P&g6R1fjLbD-ox~;jQ(SLxI{0b;Y6`+NU+Djnm<<q-WPRey7*hah?T=@NptJy#
zWS}KM9KVkgHA3Jc5(+RmDGyKnKW}CYM>Pi868&FX^9;~DeEP>V|Kpnfan1j@=KlrP
zTq!tA_hu$h#Fx^d`DVO;W9bY3N#*|G0Z;nROevo71EbI`pGs<4(+Tb(-HUwU*&^N4
z(jPB$rR6`dAg<M^hpj2#3TcSa?luxXZ)G~4MVN3<b<K-C35Np%1xqHpEBL6k&9>9d
zd(V2f4%=zkVd?U|P7pj8|Hvh=_k2bLf99I@VO3j(CG5_LIR=42kpKB6EW#w~QxyB1
zWs(u)dUhHNDgtg+be4-u(ZD`&k$u0(NUbx+tCN3n(&(I&YsY(VR6C$tTmLs*<o{A}
z4zMh%wzA?2KbmoF8s-;kw{pq5&geQ0f5wq2OL#PttqYESs=f&2A}<PyfQQd=sJUiM
zHb?ZjiQjV?a~V8fn{xACdSo%zz|ibvFXt^TxQNDSzqXjKEKjoi8De1YEZ94ROoh<A
zcOn8tV!iUpnE<z|<dU4^?NFjzkh7Q!zT5R0aC7saO30mloceL$1TMDlu>!*Wed&SX
z#+vncFoTw*>81~MF8(tEh&4qR{!mqf8;hniHxJrcH)>P3WIo+9aHmfqmyZQMh`Ps&
zrjMy-Tj)l(d98RVZ0g3<K)UI`0@0RgJjMZ+Pj~~vEYkij@z!5F3`9R)!26Oc`%opu
zLvMN+m1f12N!eepUovd+mIZ@3J$f+XR=_%Q?DHY#$K|v>gI`0vOS4?jS;TWWgZ&fK
zQeM}Wjt`0SyV}20$ZEZ!$4B|RfmEs){<4_WGJBnPi9Xppab@)Lr%_!7^e;51-?bKB
zujtA3$qL!&JIy$X5A1wFv!F?+=B#dp`!6PbUtFImB%T~h;-&S$3|Ra6=B^5#VN(gE
z8<dpE7Qb|PTJUYf`JH6T4n>Lhy@FZCShO}?(WH)EHRS<wYZA<kWOUCCP2R6+GV~y^
zsvL!ys*0_TgFJ7{OE)z3z{_>HPw?G)#ThfqX=?0NWuACTMw57w-_e%d_-<Efd<QfE
zS~7_ATvs8=<!5dAWI_4L^BQ=5yxzj_8BP@aeU3YyE*6%)XS>fr=3?keWj|(P(v^3N
z)jX3Eme3<RO%VF|#iFw&6Q5e;c)eQ!MpuMam8oqb`ZHr9%ubH^zOEwJvyS56{<Z$5
z+EKc_@}Z`e^m%mihMLx@ZQ0MhbQCmo;LBv~?`=Vzsn)OZYTd*l<D0))Wfw2sI8&{@
zcrP>eD+>-JpS=)I;5BI}_Bc___h)kl8Uo+qyY;=QR0jKqCkCiD6wC?rCb&?Zj&n3Z
z^OOeU(r$N7E%6Z+8J-`%FFZ;Ce|??3^bJnQdNdZH(MlijGGUw)i7R%^JOO@ZCPmRh
zqk=n<=7#i%BlPcMErr6v=+aAHGCCMCaPdZb=fnOuQ2**-z<niLcOqk`c2qgdC%r+{
z5Dg9-BG&r~eszN`Sw<KY+nsh#Z;O;GOF|##*pFmwaZu@Pw+0rE6cmg{C`iB02fKU&
zC10F%jh*-g?gY1d_$KgS&yP%du<72Uu1sLj!@eNj1G<f*eQ<#ny(=%?9a9G3s+z=S
z4mY^_UU0wXv<@(~Pf$e_CK-l-JTC2gf2)EzZ^3+L$b_oeI&%{6aI}Djqx|9F2mlX<
z;~l`5pJ^#xK~k6Bqp*w@%H(BHuhmUXGZ#J&!uR^><Ut4CMJtJA){Yj4MhO~F$P;jR
z1oytY?nKS(PW51v_xo~>aWwvr^^RlnKK<s6cPvyA>pMm$ho=55f-?`{!sL`ebJ4P&
ztQrP$AL_E3NbRxI3Z}ormcx$QRjRkPv41bYu8nPL6z?_D5_@&^h5ZcE^tvmfU4yLU
zu&okT{}rqUEglvm4qZB`F01=!)sk+S<fN2&7>h!NWhn-t`USc*(((5XdM_AmFl^fo
z>s0b_3O}NNTs7u0l@K1;unwgnHHCL#WxY4(BjjmU)Ek}<T`VEvG}3mL_Nge~&q!3v
z7Ef=6=q%Yh{Txz-sNPI7NL%*FvzqN!7&sk5mjR=M_oHPm{F(Bn#lbnT61RTU0HMnO
z2@}!yUt2$=bR(zW{_#bvzbJrFG6J1a%x94rrBA<&s0*ZZ3m)2w%qVfrAvH>PCvge=
z6jztX#z8hf?L!zPIRBr->vKr6{`t%p`v7Xr&qm1@pr``psh+jHC?zn3g!0$+B84>^
zjRXcqBly3%z4(t7|D(nKXz~BwTKtDm5^*1~507<~5}RKku*;Jix^MSNKwhB2W|2nQ
zN2N)1CK3OR-*(wp)xElWPnM((j?x7|p5SVx<V)#y$M&rgs4rghxYg)WsdD|9Gixz5
zY2E`dp>7RAJ%5vfD+DeM)1#HFWue6&h+D4=iV!mzD}$h&S;GC>j~++OJj@bn(d_Jc
zpQU#B@3t4=U?|Wyfc|cS@t0BtwQzK_qr$!f<GCVmiSNo4J_qB!_fQZ2qm4#)hc6(q
zw@w3}n~WktN82Aa6Hb09DG8m6OirM9iGmVoD)=bly(4qx2gw@+Y;~-+^7z4+%j&lJ
zs@b|x0_R}cn^8P+mKWXAz00RxrtZCev!}284T|F$3%#ZAWZCQs?Z?E734wR`1zqFu
zn4d`Z$Y*L3I#ELXc=X?Onbs^$*NC%cW;g7gi$zEbWFDy`<DW>M^l#Faa|`}-6(Lkf
z<flTFy#z+K(MWJ&5yStEf)RIO5%&O#xD8mujsK=aj00rpDIiPX|5ldHc$R>yX#v-&
zoqR$6zhnt|1JFW=<ofuSAR6C~*L{k(I8`w?hetTi5ntu-d`S%J^~D*2YY0IiN({UP
z>K7DOS#Ug_D_Xw#4v#x;uz|ra;l)=g6})-xuGDeOwz~+oYsUTKEtA^9Qh#~e&x)<|
zE<_#t3-uCoK2|Y1!#Sxf9b8I97+nYM39rGfqnzr&)cm+ui%O1#p}ly;fyo4VgmSLj
z9Ly$`{*M?{j5eFC!o<|F#Zb4l`K|@f#vH00)_HjrVh?c`?+ZrrilfkB_pNWt_>$b>
zwaELl5J<JbI!T;4z8KQm;o03q(UxXKt;enSI2?SD^r{bzR*J^5q&$au36tdRENSC`
z=_N=T4@#tXR4N8HZ&!hmd+p#Fu8(F~lYnfaC290vqc@#DmJ_^s*cL-0M^KcOtX6Ie
zqEg*7r}2cZoa6fVBdS?C{XxO<`R!i+e({FLD$Xh~1I8?Fjz!9G^U&0K7>UaKJq+*|
zv2RiM8fL-ay{B1MNk{@!vWu<3gbzVUQic<PG*e7kp1K7o@XBFpkV#q?6gSz=&efM?
zRNTw%Xe8;IF{$7?F6OqdD(-e}6p_Yjff1fZQMv41Wc0Ue>M$w>9=U`(EKpjSU0)w=
zy_;;p*6PyDPMpQSh9e>LV8Pjcp!pp9T_yUUy!5pN`(iYyG5T0h^Ep;3=X=Exm43Ew
zNlErx+vX;|1rDJ$6);N#@}=`x#HNi>+-$##7xzHMI4Bwu)$S|S2Rgc-*sp`sJR~b@
zL7;*7SnMz+VSP2-St3u393%Fa;>9-q%nmz>@r*7r$D?DkySL+4j^h|#ObivZv9Bs+
zs55Izh1@|=$C;!IBXhNfr9`?k&D1^tFFT0v8B36^QY*c7d*GwfYc;kwP41gzN$f2j
ziYArJ_~gityE}Gjjq-q!mf>O9h@Iu}5N+8dl1aZ?1+M7%`xBR^ocOk}jdwk$Mqh(e
z4cEQRsJ1ByE)ZTUjsAdXy&86DhKA0JEUdbI4OeXg0xI<*Q_SY%zj=A$yjfjbgqQ#s
zvEN+lVzHo#X;VhHX)n|2lQ}tp%tp@~a(i6T9W+V&X40(Sb|t?{ZYKO*^|kUC=DQai
zX!iAGKC6bp`KNpjFFsY<o*GMut;(?Kl}{>nuY0N{!GGs+@f%iyp~B;g;&;=*x~(?F
z{Dw0a&l3D`9g2*1-`-4N#$8wuPDUS&qQuM$>`{*xA(>?lQQJ${tn1aU5JMxit1v6`
zs1hp>4%fXMKP0vE<?aM#YTMv92Ey+J=M(e!YUB4JI#~miT@vP`owW%o>M0IeFU|%N
z$9%#N)|A!o5ZLOMFXj%tZ8qLx>R5WbwN-4)Ue0yB#z~a5wA`}9nDR3#{DF$QM^c}O
zsj8N6_2KyfrGvWmK+WmR;}T`(625meg2&WQa#3>Z2M7L3&o?=8;s;9nl{<HCrF$qT
z*9P0NV%>jL|Fs`-$3mKBtPnj0FsRIc&M^EisN{e_CC<`Bjb6%{#d~Qm&d*jMP?1Ah
z=DUiMIZXNJL!?O1T+?$md3RomInO}NYh8-T=u|T7i@j7FuY{!W2-;{id{MP@Ss9dS
zcw#)<)5eCs=G7he5oEp|qTQ&jE4;=`HY=uHc*mvvCG_BRDKm_hBm}I6D<osoLZ{_e
z`)*xEQtYxC139rc(N&6-tLb;Q@Mi~0ZJ#{q!b#)w<&3@>lDt9L%P#CRWwk@6m{G}|
zyRCY0at1D)QzTHb27R837IeKrEP<H3vSGD5u59;5<wy7o&$F!4eGS5sjmG_7D*q-}
z@1*hr76rW)1VUH$>#}#k4bitq^P<R^?J1gsUO7^oN{uvQ4O*n_EW!1a&{XY+C+SJD
zkrXW86j@Ohv>sLV>LSyLgeu$4I5iQxGKacev3QIK=hYHY-!*fVV|uy@gp~QS?;1f)
wnMFb&_{qI3Bb8R7KfbhzNKGa{T0_JVOL<ChLrx(+p-7%d0X%ahI|%gu0CIM&!T<mO

literal 0
Hc-jL100001

diff --git a/tests/krb5-krb5_msg_type/test.rules b/tests/krb5-krb5_msg_type/test.rules
new file mode 100644
index 000000000..18cd2fea6
--- /dev/null
+++ b/tests/krb5-krb5_msg_type/test.rules
@@ -0,0 +1,5 @@
+alert krb5 any any -> any any (msg:"AS-REQ"; krb5_msg_type:10; sid:10;)
+alert krb5 any any -> any any (msg:"AS-REP"; krb5_msg_type:11; sid:11;)
+alert krb5 any any -> any any (msg:"TGS-REQ"; krb5_msg_type:12; sid:12;)
+alert krb5 any any -> any any (msg:"TGS-REP"; krb5_msg_type:13; sid:13;)
+alert krb5 any any -> any any (msg:"KRB-ERROR"; krb5_msg_type:30; sid:30;)
\ No newline at end of file
diff --git a/tests/krb5-krb5_msg_type/test.yaml b/tests/krb5-krb5_msg_type/test.yaml
new file mode 100644
index 000000000..3a90f3171
--- /dev/null
+++ b/tests/krb5-krb5_msg_type/test.yaml
@@ -0,0 +1,42 @@
+# *** Add configuration here ***
+requires:
+  min-version: 7
+  features:
+    - RUST
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 10
+
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 11
+
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 12
+
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 13
+
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 30
+
+
+
-- 
2.47.2