Pull request #5128: kerberos: add config to set failed_login flag in kerberos client...

Merge in SNORT/snort3 from ~AAVILASE/snort3:kerberos_read_failed_login_config to master

Squashed commit of the following:

commit df7f69935cab4aa36609413fc3144849695b87d7
Author: Andres Avila <aavilase@cisco.com>
Date:   Fri Jan 23 15:49:17 2026 -0500

    kerberos: add config to set failed_login flag in kerberos client detector

diff --git a/src/network_inspectors/appid/app_info_table.cc b/src/network_inspectors/appid/app_info_table.cc
index bed2c29f41c663bdf909a5a659a835993064be2a..b38d0192f10b5a4d977c7f17e611e6fd9972d898 100644 (file)
--- a/src/network_inspectors/appid/app_info_table.cc
+++ b/src/network_inspectors/appid/app_info_table.cc
@@ -723,6 +723,10 @@ void AppInfoManager::load_odp_config(OdpContext& odp_ctxt, const char* path)
             {
                 odp_ctxt.eve_http_client = atoi(conf_val) ? true : false;
             }
+            else if (!(strcasecmp(conf_key, "kerberos_check_failed_login")))
+            {
+                odp_ctxt.kerberos_check_failed_login = atoi(conf_val) ? true : false;
+            }
             else if (!(strcasecmp(conf_key, "appid_cpu_profiling")))
             {
                 if (!(strcasecmp(conf_val, "disabled")))

diff --git a/src/network_inspectors/appid/appid_config.cc b/src/network_inspectors/appid/appid_config.cc
index 3fd5f9f8362be746b87809d9535f3ca0c0f6acfb..21bf1c15a0118e2a3cea9b0de15508a2fabafd24 100644 (file)
--- a/src/network_inspectors/appid/appid_config.cc
+++ b/src/network_inspectors/appid/appid_config.cc
@@ -234,6 +234,7 @@ void OdpContext::dump_appid_config()
     APPID_LOG(nullptr, TRACE_INFO_LEVEL, "Appid Config: brute_force_inprocess_threshold          %" PRId8" \n", brute_force_inprocess_threshold);
     APPID_LOG(nullptr, TRACE_INFO_LEVEL, "Appid Config: failed_state_expiration_secs             %" PRId32" \n", failed_state_expiration_secs);
     APPID_LOG(nullptr, TRACE_INFO_LEVEL, "Appid Config: inspect_ooo_flows                        %s\n", inspect_ooo_flows ? "True" : "False");
+    APPID_LOG(nullptr, TRACE_INFO_LEVEL, "Appid Config: kerberos_check_failed_login                    %s\n", kerberos_check_failed_login ? "True" : "False");
 }
 
 bool OdpContext::is_appid_cpu_profiler_running()
@@ -256,6 +257,8 @@ OdpContext::OdpContext(const AppIdConfig& config, SnortConfig* sc)
 
 void OdpContext::initialize(AppIdInspector& inspector)
 {
+    KerberosClientDetector* c_krb = (KerberosClientDetector*) client_disco_mgr.get_client_detector("kerberos");
+    c_krb->set_failed_login(kerberos_check_failed_login);
     service_pattern_detector->finalize_service_port_patterns(inspector);
     client_pattern_detector->finalize_client_port_patterns(inspector);
     service_disco_mgr.finalize_service_patterns();
@@ -272,6 +275,8 @@ void OdpContext::initialize(AppIdInspector& inspector)
 
 void OdpContext::reload()
 {
+    KerberosClientDetector* c_krb = (KerberosClientDetector*) client_disco_mgr.get_client_detector("kerberos");
+    c_krb->set_failed_login(kerberos_check_failed_login);
     assert(service_pattern_detector);
     service_pattern_detector->reload_service_port_patterns();
     assert(client_pattern_detector);

diff --git a/src/network_inspectors/appid/appid_config.h b/src/network_inspectors/appid/appid_config.h
index 651c76bc68cc949595bd67e7075dc22fe8de69b1..397de10a7a7ce1ac17fa791efe0a61f64e6dd332 100644 (file)
--- a/src/network_inspectors/appid/appid_config.h
+++ b/src/network_inspectors/appid/appid_config.h
@@ -155,6 +155,7 @@ public:
     bool eve_http_client = true;
     bool appid_cpu_profiler = true;
     bool inspect_ooo_flows = true;
+    bool kerberos_check_failed_login = false;
     uint8_t brute_force_inprocess_threshold = DEFAULT_BRUTE_FORCE_INPROCESS_STATE_THRESHOLD;
     uint16_t max_packet_before_service_fail = DEFAULT_MAX_PKTS_BEFORE_SERVICE_FAIL;
     uint16_t max_packet_service_fail_ignore_bytes = DEFAULT_MAX_PKT_BEFORE_SERVICE_FAIL_IGNORE_BYTES;

diff --git a/src/network_inspectors/appid/detector_plugins/detector_kerberos.cc b/src/network_inspectors/appid/detector_plugins/detector_kerberos.cc
index 3e8f96eada686d6185b83f3e63025944761dcda8..d2857e5d512d2800f0712a1e4edb8c335da5dbe6 100644 (file)
--- a/src/network_inspectors/appid/detector_plugins/detector_kerberos.cc
+++ b/src/network_inspectors/appid/detector_plugins/detector_kerberos.cc
@@ -415,7 +415,7 @@ int KerberosServiceDetector::krb_walk_server_packet(KRBState* krbs, const uint8_
 
         if (krbs->flags & KRB_FLAG_AUTH_FAILED)
         {
-            if (krb_client_detector->failed_login
+            if (krb_client_detector->check_failed_login
                 && ((krbs->flags & KRB_FLAG_USER_DETECTED) || reqCname))
             {
                 this->add_user(asd, (krbs->flags & KRB_FLAG_USER_DETECTED) ? krbs->cname : reqCname,
@@ -640,7 +640,7 @@ int KerberosClientDetector::krb_walk_client_packet(KRBState* krbs, const uint8_t
             krbs->tag = *s;
             if (krbs->tag == 0xa4
                 && (krbs->msg_type == AS_REQ_MSG_TYPE || krbs->msg_type == TGS_REQ_MSG_TYPE)
-                && this->failed_login)
+                && this->check_failed_login)
             {
                 krbs->next_state = KRB_STATE_REQBODY_SEQ;
             }

diff --git a/src/network_inspectors/appid/detector_plugins/detector_kerberos.h b/src/network_inspectors/appid/detector_plugins/detector_kerberos.h
index f9159960444532008e4532c140959ec3ed4f87fb..62939c7ce8ce081ab84d1b7bbeb57b609d50005e 100644 (file)
--- a/src/network_inspectors/appid/detector_plugins/detector_kerberos.h
+++ b/src/network_inspectors/appid/detector_plugins/detector_kerberos.h
@@ -47,7 +47,12 @@ public:
         krb_service_detector = s;
     }
 
-    bool failed_login = false;
+    void set_failed_login(bool failed_login)
+    {
+        check_failed_login = failed_login;
+    }
+
+    bool check_failed_login = false;
 
 private:
     int krb_walk_client_packet(KRBState*, const uint8_t*, const uint8_t*,