Log Kerberos 5 errors

7 years ago · 52f5c7914f
parent 1e5f5d405f
commit 52f5c7914f
2 changed files with 22 additions and 3 deletions
--- a/rust/src/krb/krb5.rs
+++ b/rust/src/krb/krb5.rs
@ -61,6 +61,9 @@ pub struct KRB5Transaction {
    /// Encryption used (only in AS-REP and TGS-REP)
    pub etype: Option<EncryptionType>,

+    /// Error code, if request has failed
+    pub error_code: Option<i32>,
+
    /// The internal transaction id
    id: u64,

@ -140,6 +143,16 @@ impl KRB5State {
                        self.req_id = 0;
                    },
                    30 => {
+                        let res = krb5_parser::parse_krb_error(i);
+                        res.map(|error| {
+                            let mut tx = self.new_tx();
+                            tx.msg_type = MessageType(self.req_id as u32);
+                            tx.cname = error.cname;
+                            tx.realm = error.crealm;
+                            tx.sname = Some(error.sname);
+                            tx.error_code = Some(error.error_code);
+                            self.transactions.push(tx);
+                        });
                        self.req_id = 0;
                    },
                    _ => { SCLogDebug!("unknown/unsupported tag {}", hdr.tag); },
@ -214,6 +227,7 @@ impl KRB5Transaction {
            realm: None,
            sname: None,
            etype: None,
+            error_code: None,
            id: id,
            de_state: None,
            events: std::ptr::null_mut(),
--- a/rust/src/krb/log.rs
+++ b/rust/src/krb/log.rs
@ -24,8 +24,14 @@ use krb::krb5::{KRB5State,KRB5Transaction};
 pub extern "C" fn rs_krb5_log_json_response(_state: &mut KRB5State, tx: &mut KRB5Transaction) -> *mut JsonT
 {
    let js = Json::object();
-    js.set_string("msg_type", &format!("{:?}", tx.msg_type));
-    // XXX PrincipalName object should be pretty-printed
+    match tx.error_code {
+        Some(c) => {
+            js.set_string("msg_type", "KRB_ERROR");
+            js.set_string("failed_request", &format!("{:?}", tx.msg_type));
+            js.set_string("error_code", &format!("{}", c));
+        },
+        None    => { js.set_string("msg_type", &format!("{:?}", tx.msg_type)); },
+    }
    let cname = match tx.cname {
        Some(ref x) => format!("{}", x),
        None        => "<empty>".to_owned(),
@ -34,7 +40,6 @@ pub extern "C" fn rs_krb5_log_json_response(_state: &mut KRB5State, tx: &mut KRB
        Some(ref x) => format!("{}", x.0),
        None        => "<empty>".to_owned(),
    };
-    // XXX PrincipalName object should be pretty-printed
    let sname = match tx.sname {
        Some(ref x) => format!("{}", x),
        None        => "<empty>".to_owned(),