From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 11 Jun 2026 08:23:26 +0000 (+0200)
Subject: detect/krb: adds check for krb_err_code keyword
X-Git-Url: http://git.ipfire.org/index.cgi?a=commitdiff_plain;h=HEAD;p=thirdparty%2Fsuricata-verify.git

detect/krb: adds check for krb_err_code keyword

Ticket: 8648
---

diff --git a/tests/bug-8278-krb5-03/test.rules b/tests/bug-8278-krb5-03/test.rules
index 214f106ee..55f36f26e 100644
--- a/tests/bug-8278-krb5-03/test.rules
+++ b/tests/bug-8278-krb5-03/test.rules
@@ -1,2 +1,5 @@
 alert krb5 any any -> any any (msg:"KRB5 TGS-REQ"; flow:to_server,established; krb5_msg_type:12; sid:1;)
 alert krb5 any any -> any any (msg:"KRB5 AS-REQ"; flow:to_server,established; krb5_msg_type:10; sid:2;)
+
+alert krb5 any any -> any any (msg:"KRB5 error"; krb5_err_code:!0; requires: version >= 9; sid:3;)
+alert krb5 any any -> any any (msg:"KRB5 error"; krb5_err_code:25; sid:4;)
diff --git a/tests/bug-8278-krb5-03/test.yaml b/tests/bug-8278-krb5-03/test.yaml
index 35ece0bce..bc8c80321 100644
--- a/tests/bug-8278-krb5-03/test.yaml
+++ b/tests/bug-8278-krb5-03/test.yaml
@@ -69,3 +69,15 @@ checks:
         krb5.encryption: "<none>"
         krb5.weak_encryption: false
 
+  - filter:
+      requires:
+        min-version: 9
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4