[Oisf-devel] Question about krb5 parser
jason taylor
jtfas90 at gmail.com
Fri Jun 29 13:24:10 UTC 2018
Hi All,
I am testing out the krb5 parser and I am seeing what appear to be
inconsistent results.
One pcap (krb5.good.pcap) parses out the tgs response in the json log.
The second pcap (krb5.bad.pcap) doesn't parse out the tgs response in
the json log.
After poking at this for a little bit I can't tell if this is something
on my end with testing or something with the parser, any help or
pointers appreciated.
Attached are the logs from the suricata runs, build info and pcaps.
I am using the latest (as of today) master branch build (additional
info in attached)
JT
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5.sample.zip
Type: application/zip
Size: 15022 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20180629/5a6a94ba/attachment-0001.zip>
-------------- next part --------------
This is Suricata version 4.1.0-dev (rev 9f59098d)
Features: DEBUG NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LIBJANSSON TLS MAGIC RUST
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 7.3.1 20180303 (Red Hat 7.3.1-5), C version 199901
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.26, linked against LibHTP v0.5.26
Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support:
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
liblzma support: yes
hiredis support: no
hiredis async with libevent: no
Prelude support: no
PCRE jit: yes
LUA support: yes
libluajit: no
libgeoip: yes
Non-bundled htp: no
Old barnyard2 support: no
Hyperscan support: yes
Libnet support: yes
liblz4 support: no
Rust support (experimental): yes
Rust strict mode: no
Rust debug mode: yes
Suricatasc install: yes
Profiling enabled: no
Profiling locks enabled: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: yes
Debug validation enabled: no
Generic build parameters:
Installation prefix: /usr/local
Configuration directory: /usr/local/etc/suricata/
Log directory: /usr/local/var/log/suricata/
--prefix /usr/local
--sysconfdir /usr/local/etc
--localstatedir /usr/local/var
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / gcc (real)
GCC Protect enabled: yes
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: yes
CFLAGS -g -O2 -march=native -I${srcdir}/../rust/gen/c-headers
PCAP_CFLAGS
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
-------------- next part --------------
eve log configuration snippet:
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: alert.json
types:
- alert
- http # enable dumping of http fields
- tls # enable dumping of tls fields
# - flow
- smb
- krb5
- dhcp
bad pcap json output:
{"timestamp":"2018-06-27T13:13:30.985950-0400","flow_id":1126276886349493,"pcap_cnt":20,"event_type":"krb5","src_ip":"192.168.51.206","src_port":55284,"dest_ip":"192.169.160.131","dest_port":88,"proto":"TCP","krb5":{"msg_type":"KRB_ERROR","failed_request":"KRB_AS_REQ","error_code":"KDC_ERR_PREAUTH_REQUIRED","cname":"<empty>","realm":"<empty>","sname":"krbtgt\/dom.test.lo.com","encryption":"<none>","weak_encryption":false}}
{"timestamp":"2018-06-27T13:13:31.007010-0400","flow_id":1944747329068283,"pcap_cnt":33,"event_type":"krb5","src_ip":"192.168.51.206","src_port":55286,"dest_ip":"192.169.160.131","dest_port":88,"proto":"TCP","krb5":{"msg_type":"KRB_AS_REP","cname":"user01","realm":"dom.test.lo.com","sname":"krbtgt\/dom.test.lo.com","encryption":"rc4-hmac","weak_encryption":true}}
good pcap json output:
{"timestamp":"2018-06-27T12:21:59.941117-0400","flow_id":90858852928409,"pcap_cnt":55,"event_type":"krb5","src_ip":"192.168.51.206","src_port":56850,"dest_ip":"192.168.51.212","dest_port":88,"proto":"TCP","krb5":{"msg_type":"KRB_TGS_REP","cname":"jason","realm":"LOWHANGINGFRUIT.COM","sname":"http\/lowhangingfruit.com","encryption":"rc4-hmac","weak_encryption":true}}
{"timestamp":"2018-06-27T12:21:59.924705-0400","flow_id":1648394383071138,"pcap_cnt":37,"event_type":"krb5","src_ip":"192.168.51.206","src_port":56846,"dest_ip":"192.168.51.212","dest_port":88,"proto":"TCP","krb5":{"msg_type":"KRB_ERROR","failed_request":"KRB_AS_REQ","error_code":"KDC_ERR_PREAUTH_REQUIRED","cname":"<empty>","realm":"<empty>","sname":"krbtgt\/LOWHANGINGFRUIT.COM","encryption":"<none>","weak_encryption":false}}
{"timestamp":"2018-06-27T12:21:59.929675-0400","flow_id":1652483191941483,"pcap_cnt":46,"event_type":"krb5","src_ip":"192.168.51.206","src_port":56848,"dest_ip":"192.168.51.212","dest_port":88,"proto":"TCP","krb5":{"msg_type":"KRB_AS_REP","cname":"jason","realm":"LOWHANGINGFRUIT.COM","sname":"krbtgt\/LOWHANGINGFRUIT.COM","encryption":"rc4-hmac","weak_encryption":true}}
More information about the Oisf-devel
mailing list