base/protocols/krb/main.zeek¶
-
KRB
¶
Implements base functionality for KRB analysis. Generates the kerberos.log file.
Namespace: | KRB |
---|---|
Imports: | base/protocols/krb/consts.zeek |
Summary¶
Runtime Options¶
KRB::ignored_errors : set &redef |
The server response error texts which are not logged. |
Redefinitions¶
Log::ID : enum |
|
connection : record |
|
likely_server_ports : set &redef |
Events¶
KRB::log_krb : event |
Event that can be handled to access the KRB record as it is sent on to the logging framework. |
Detailed Interface¶
Runtime Options¶
Types¶
-
KRB::Info
¶ Type: - ts:
time
&log
Timestamp for when the event happened.
- uid:
string
&log
Unique ID for the connection.
- id:
conn_id
&log
The connection’s 4-tuple of endpoint addresses/ports.
- request_type:
string
&log
&optional
Request type - Authentication Service (“AS”) or Ticket Granting Service (“TGS”)
- client:
string
&log
&optional
Client
- service:
string
&log
&optional
Service
- success:
bool
&log
&optional
Request result
- error_code:
count
&optional
Error code
- error_msg:
string
&log
&optional
Error message
- from:
time
&log
&optional
Ticket valid from
- till:
time
&log
&optional
Ticket valid till
- cipher:
string
&log
&optional
Ticket encryption type
- forwardable:
bool
&log
&optional
Forwardable ticket requested
- renewable:
bool
&log
&optional
Renewable ticket requested
- logged:
bool
&default
=F
&optional
We’ve already logged this
- client_cert:
Files::Info
&optional
(present if base/protocols/krb/files.zeek is loaded)
Client certificate
- client_cert_subject:
string
&log
&optional
(present if base/protocols/krb/files.zeek is loaded)
Subject of client certificate, if any
- client_cert_fuid:
string
&log
&optional
(present if base/protocols/krb/files.zeek is loaded)
File unique ID of client cert, if any
- server_cert:
Files::Info
&optional
(present if base/protocols/krb/files.zeek is loaded)
Server certificate
- server_cert_subject:
string
&log
&optional
(present if base/protocols/krb/files.zeek is loaded)
Subject of server certificate, if any
- server_cert_fuid:
string
&log
&optional
(present if base/protocols/krb/files.zeek is loaded)
File unique ID of server cert, if any
- auth_ticket:
string
&log
&optional
(present if policy/protocols/krb/ticket-logging.zeek is loaded)
Hash of ticket used to authorize request/transaction
- new_ticket:
string
&log
&optional
(present if policy/protocols/krb/ticket-logging.zeek is loaded)
Hash of ticket returned by the KDC
- ts: