krb5: use req_type instead of msg_type to get request type

4 years ago · ed91d689f2
parent a9b7241417
commit ed91d689f2
2 changed files with 28 additions and 2 deletions
--- a/rust/src/krb/krb5.rs
+++ b/rust/src/krb/krb5.rs
@ -82,6 +82,9 @@ pub struct KRB5Transaction {
    /// Error code, if request has failed
    pub error_code: Option<ErrorCode>,

+    /// Message type of request. For using in responses.
+    pub req_type: Option<MessageType>,
+
    /// The internal transaction id
    id: u64,

@ -149,6 +152,11 @@ impl KRB5State {
                        if let Ok((_,kdc_rep)) = res {
                            let mut tx = self.new_tx(direction);
                            tx.msg_type = MessageType::KRB_AS_REP;
+                            if self.req_id > 0 {
+                                // set request type only if previous message
+                                // was a request
+                                tx.req_type = Some(MessageType(self.req_id.into()));
+                            }
                            tx.cname = Some(kdc_rep.cname);
                            tx.realm = Some(kdc_rep.crealm);
                            tx.sname = Some(kdc_rep.ticket.sname);
@ -179,6 +187,11 @@ impl KRB5State {
                        if let Ok((_,kdc_rep)) = res {
                            let mut tx = self.new_tx(direction);
                            tx.msg_type = MessageType::KRB_TGS_REP;
+                            if self.req_id > 0 {
+                                // set request type only if previous message
+                                // was a request
+                                tx.req_type = Some(MessageType(self.req_id.into()));
+                            }
                            tx.cname = Some(kdc_rep.cname);
                            tx.realm = Some(kdc_rep.crealm);
                            tx.ticket_etype = Some(kdc_rep.ticket.enc_part.etype);
@ -201,6 +214,11 @@ impl KRB5State {
                        let res = krb5_parser::parse_krb_error(i);
                        if let Ok((_,error)) = res {
                            let mut tx = self.new_tx(direction);
+                            if self.req_id > 0 {
+                                // set request type only if previous message
+                                // was a request
+                                tx.req_type = Some(MessageType(self.req_id.into()));
+                            }
                            tx.msg_type = MessageType::KRB_ERROR;
                            tx.cname = error.cname;
                            tx.realm = error.crealm;
@ -268,6 +286,7 @@ impl KRB5Transaction {
            etype: None,
            ticket_etype: None,
            error_code: None,
+            req_type: None,
            id,
            tx_data: applayer::AppLayerTxData::for_direction(direction),
        };
--- a/rust/src/krb/log.rs
+++ b/rust/src/krb/log.rs
@ -24,8 +24,15 @@ fn krb5_log_response(jsb: &mut JsonBuilder, tx: &mut KRB5Transaction) -> Result<
 {
    match tx.error_code {
        Some(c) => {
-            jsb.set_string("msg_type", "KRB_ERROR")?;
-            jsb.set_string("failed_request", &format!("{:?}", tx.msg_type))?;
+            jsb.set_string("msg_type", &format!("{:?}", tx.msg_type))?;
+            if let Some(req_type) = tx.req_type {
+                jsb.set_string("failed_request", &format!("{:?}", req_type))?;
+            } else {
+                // In case we capture the response but not the request
+                // we can't know the failed request type, since it could be
+                // AS-REQ or TGS-REQ
+                jsb.set_string("failed_request", "UNKNOWN")?;
+            }
            jsb.set_string("error_code", &format!("{:?}", c))?;
        },
        None    => { jsb.set_string("msg_type", &format!("{:?}", tx.msg_type))?; },