base/protocols/krb/main.zeek
- KRB
Implements base functionality for KRB analysis. Generates the kerberos.log file.
- Namespace
KRB
- Imports
base/protocols/conn/removal-hooks.zeek, base/protocols/krb/consts.zeek
Summary
Runtime Options
The server response error texts which are not logged. |
Types
Redefinitions
|
|
Events
Event that can be handled to access the KRB record as it is sent on to the logging framework. |
Hooks
Kerberos finalization hook. |
|
Detailed Interface
Runtime Options
- KRB::ignored_errors
- Type
- Attributes
- Default
{ "NEEDED_PREAUTH", "Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ" }
The server response error texts which are not logged.
Types
- KRB::Info
- Type
-
- ts:
time
&log
Timestamp for when the event happened.
- uid:
string
&log
Unique ID for the connection.
- id:
conn_id
&log
The connection’s 4-tuple of endpoint addresses/ports.
- request_type:
string
&log
&optional
Request type - Authentication Service (“AS”) or Ticket Granting Service (“TGS”)
- client:
string
&log
&optional
Client
- service:
string
&log
&optional
Service
- success:
bool
&log
&optional
Request result
- error_code:
count
&optional
Error code
- error_msg:
string
&log
&optional
Error message
- from:
time
&log
&optional
Ticket valid from
- till:
time
&log
&optional
Ticket valid till
- cipher:
string
&log
&optional
Ticket encryption type
- forwardable:
bool
&log
&optional
Forwardable ticket requested
- renewable:
bool
&log
&optional
Renewable ticket requested
- logged:
bool
&default
=F
&optional
We’ve already logged this
- client_cert:
Files::Info
&optional
(present if base/protocols/krb/files.zeek is loaded)
Client certificate
- client_cert_subject:
string
&log
&optional
(present if base/protocols/krb/files.zeek is loaded)
Subject of client certificate, if any
- client_cert_fuid:
string
&log
&optional
(present if base/protocols/krb/files.zeek is loaded)
File unique ID of client cert, if any
- server_cert:
Files::Info
&optional
(present if base/protocols/krb/files.zeek is loaded)
Server certificate
- server_cert_subject:
string
&log
&optional
(present if base/protocols/krb/files.zeek is loaded)
Subject of server certificate, if any
- server_cert_fuid:
string
&log
&optional
(present if base/protocols/krb/files.zeek is loaded)
File unique ID of server cert, if any
- auth_ticket:
string
&log
&optional
(present if policy/protocols/krb/ticket-logging.zeek is loaded)
Hash of ticket used to authorize request/transaction
- new_ticket:
string
&log
&optional
(present if policy/protocols/krb/ticket-logging.zeek is loaded)
Hash of ticket returned by the KDC
- ts:
Events
- KRB::log_krb
-
Event that can be handled to access the KRB record as it is sent on to the logging framework.
Hooks
- KRB::finalize_krb
- Type
Kerberos finalization hook. Remaining Kerberos info may get logged when it’s called.