detect/krb: adds check for krb_err_code keyword

author Philippe Antoine <pantoine@oisf.net>

Thu, 11 Jun 2026 08:23:26 +0000 (10:23 +0200)

committer Victor Julien <vjulien@oisf.net>

Wed, 24 Jun 2026 20:14:25 +0000 (20:14 +0000)
author Philippe Antoine <pantoine@oisf.net>
Thu, 11 Jun 2026 08:23:26 +0000 (10:23 +0200)
committer Victor Julien <vjulien@oisf.net>
Wed, 24 Jun 2026 20:14:25 +0000 (20:14 +0000)
diff --git a/tests/bug-8278-krb5-03/test.rules b/tests/bug-8278-krb5-03/test.rules

index 214f106ee24be9d44c22bad604ba92e8ae100f00..55f36f26eea9ad27d268a47ae2b8f2b3786a93d8 100644 (file)
--- a/tests/bug-8278-krb5-03/test.rules
+++ b/tests/bug-8278-krb5-03/test.rules
@@ -1,2 +1,5 @@
  alert krb5 any any -> any any (msg:"KRB5 TGS-REQ"; flow:to_server,established; krb5_msg_type:12; sid:1;)
  alert krb5 any any -> any any (msg:"KRB5 AS-REQ"; flow:to_server,established; krb5_msg_type:10; sid:2;)
+
+alert krb5 any any -> any any (msg:"KRB5 error"; krb5_err_code:!0; requires: version >= 9; sid:3;)
+alert krb5 any any -> any any (msg:"KRB5 error"; krb5_err_code:25; sid:4;)
diff --git a/tests/bug-8278-krb5-03/test.yaml b/tests/bug-8278-krb5-03/test.yaml

index 35ece0bce93af779f43451a9329949f5c92c9b84..bc8c80321d92331ca8893dcc29746d7bd0d8198e 100644 (file)
--- a/tests/bug-8278-krb5-03/test.yaml
+++ b/tests/bug-8278-krb5-03/test.yaml
@@ -69,3 +69,15 @@ checks:
          krb5.encryption: "<none>"
          krb5.weak_encryption: false
  
+  - filter:
+      requires:
+        min-version: 9
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
author	Philippe Antoine <pantoine@oisf.net>
	Thu, 11 Jun 2026 08:23:26 +0000 (10:23 +0200)
committer	Victor Julien <vjulien@oisf.net>
	Wed, 24 Jun 2026 20:14:25 +0000 (20:14 +0000)
tests/bug-8278-krb5-03/test.rules		patch \| blob \| blame \| history
tests/bug-8278-krb5-03/test.yaml		patch \| blob \| blame \| history