suricata icon indicating copy to clipboard operation
suricata copied to clipboard

Published 20 hours ago verified publisher icon OISF

fix krb5_msg_type: Unable to detect AS-REQ, TGS-REQ and KRB-ERROR v4

Open zer1t0 opened this issue 2 years ago • 2 comments

Make sure these boxes are signed before submitting your Pull Request -- thank you.

  • [x] I have read the contributing guide lines at https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing
  • [x] I have signed the Open Information Security Foundation contribution agreement at https://suricata-ids.org/about/contribution-agreement/

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/4529

Previous PR: https://github.com/OISF/suricata/pull/6508 Related SV test: https://github.com/OISF/suricata-verify/pull/572

The problem is that the krb5_msg_type doesn't trigger properly for:

  • AS-REQ (krb5_msg_type: 10): This rule matches the KRB-ERROR message that follows an AS-REQ, which is not the expected behaviour.
  • TGS-REQ (krb5_msg_type: 12): Same behaviour as AS-REQ.
  • KRB-ERROR (krb5_msg_type: 30) It's not triggered at all.

To solve the problem the following actions were taken in KRB5State.parse:

  • Add transaction when parsing AS-REQ message
  • Add transaction when parsing TGS-REQ message
  • Change the message type of KRB-ERROR to MessageType::KRB_ERROR

suricata-verify-pr: 572

zer1t0 avatar Apr 28 '22 10:04 zer1t0

Codecov Report

Merging #7335 (07e36c0) into master (2ebb525) will decrease coverage by 1.90%. The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #7335      +/-   ##
==========================================
- Coverage   77.68%   75.78%   -1.91%     
==========================================
  Files         628      656      +28     
  Lines      185657   190067    +4410     
==========================================
- Hits       144232   144033     -199     
- Misses      41425    46034    +4609
Flag Coverage Δ
fuzzcorpus 60.27% <ø> (+2.21%) :arrow_up:
suricata-verify 51.62% <ø> (-2.84%) :arrow_down:
unittests 61.01% <ø> (-2.02%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

codecov[bot] avatar Apr 28 '22 11:04 codecov[bot]

What were the changes from previous PR ?

catenacyber avatar Jul 08 '22 13:07 catenacyber

Hi @zer1t0, thanks for your work so far in this issue! I saw that you didn't answer catenacyber's question. Are you still able/willing to work on this? From what I followed so far, it's near completion, right?

jufajardini avatar Oct 28 '22 14:10 jufajardini

Closing due to inactivity. If you're interested in picking this back up, please open a new PR addressing the comments. Thanks!

victorjulien avatar May 05 '23 08:05 victorjulien

Rebased in https://github.com/OISF/suricata/pull/8819

catenacyber avatar May 05 '23 16:05 catenacyber