base/protocols/krb/main.bro

KRB

Implements base functionality for KRB analysis. Generates the kerberos.log file.

Namespace:KRB
Imports:base/protocols/krb/consts.bro
Source File:/scripts/base/protocols/krb/main.bro

Summary

Runtime Options

KRB::ignored_errors: set &redef The server response error texts which are not logged.

Types

KRB::Info: record  

Events

KRB::log_krb: event Event that can be handled to access the KRB record as it is sent on to the logging framework.

Detailed Interface

Runtime Options

KRB::ignored_errors
Type:set [string]
Attributes:&redef
Default:
{
   "Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ",
   "NEEDED_PREAUTH"
}

The server response error texts which are not logged.

Types

KRB::Info
Type:

record

ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

request_type: string &log &optional

Request type - Authentication Service (“AS”) or Ticket Granting Service (“TGS”)

client: string &log &optional

Client

service: string &log &optional

Service

success: bool &log &optional

Request result

error_code: count &optional

Error code

error_msg: string &log &optional

Error message

from: time &log &optional

Ticket valid from

till: time &log &optional

Ticket valid till

cipher: string &log &optional

Ticket encryption type

forwardable: bool &log &optional

Forwardable ticket requested

renewable: bool &log &optional

Renewable ticket requested

logged: bool &default = F &optional

We’ve already logged this

client_cert: Files::Info &optional

(present if base/protocols/krb/files.bro is loaded)

Client certificate

client_cert_subject: string &log &optional

(present if base/protocols/krb/files.bro is loaded)

Subject of client certificate, if any

client_cert_fuid: string &log &optional

(present if base/protocols/krb/files.bro is loaded)

File unique ID of client cert, if any

server_cert: Files::Info &optional

(present if base/protocols/krb/files.bro is loaded)

Server certificate

server_cert_subject: string &log &optional

(present if base/protocols/krb/files.bro is loaded)

Subject of server certificate, if any

server_cert_fuid: string &log &optional

(present if base/protocols/krb/files.bro is loaded)

File unique ID of server cert, if any

auth_ticket: string &log &optional

(present if policy/protocols/krb/ticket-logging.bro is loaded)

Hash of ticket used to authorize request/transaction

new_ticket: string &log &optional

(present if policy/protocols/krb/ticket-logging.bro is loaded)

Hash of ticket returned by the KDC

Events

KRB::log_krb
Type:event (rec: KRB::Info)

Event that can be handled to access the KRB record as it is sent on to the logging framework.

Copyright 2016, The Bro Project. Last updated on January 10, 2019. Created using Sphinx 1.7.5.