Add event rules for Kerberos 5

rules/Makefile.am

@@ -13,4 +13,5 @@ files.rules \
 dnp3-events.rules \
 ntp-events.rules \
 nfs-events.rules \
-ipsec-events.rules
+ipsec-events.rules \
+kerberos-events.rules

rules/kerberos-events.rules

@@ -0,0 +1,8 @@
+# Kerberos app layer event rules
+#
+# SID's fall in the 2226000+ range. See https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayer
+#
+# These sigs fire at most once per connection.
+#
+alert krb5 any any -> any any (msg:"SURICATA Kerberos 5 malformed request data"; flow:to_server; app-layer-event:krb5.malformed_data; classtype:protocol-command-decode; sid:2226000; rev:1;)
+alert krb5 any any -> any any (msg:"SURICATA Kerberos 5 weak cryptographic parameters"; flow:to_client; app-layer-event:krb5.weak_crypto; classtype:protocol-command-decode; sid:2226001; rev:1;)

rust/src/krb/krb5.rs

@@ -377,6 +377,7 @@ pub extern "C" fn rs_krb5_state_get_event_info(event_name: *const libc::c_char,
         Ok(s) => {
             match s {
                 "malformed_data"     => KRB5Event::MalformedData as i32,
+                "weak_crypto"        => KRB5Event::WeakCrypto as i32,
                 _                    => -1, // unknown event
             }
         },

suricata.yaml.in

@@ -110,6 +110,7 @@ default-rule-path: @e_defaultruledir@
 # - dnp3-events.rules       # available in suricata sources under rules dir
 # - ntp-events.rules       # available in suricata sources under rules dir
 # - ipsec-events.rules       # available in suricata sources under rules dir
+# - kerberos-events.rules       # available in suricata sources under rules dir
 
 classification-file: @e_sysconfdir@classification.config
 reference-config-file: @e_sysconfdir@reference.config