diff --git a/rust/src/krb/krb5.rs b/rust/src/krb/krb5.rs index 6e11b840b9..24cb8414f2 100644 --- a/rust/src/krb/krb5.rs +++ b/rust/src/krb/krb5.rs @@ -61,6 +61,9 @@ pub struct KRB5Transaction { /// Encryption used (only in AS-REP and TGS-REP) pub etype: Option, + /// Error code, if request has failed + pub error_code: Option, + /// The internal transaction id id: u64, @@ -140,6 +143,16 @@ impl KRB5State { self.req_id = 0; }, 30 => { + let res = krb5_parser::parse_krb_error(i); + res.map(|error| { + let mut tx = self.new_tx(); + tx.msg_type = MessageType(self.req_id as u32); + tx.cname = error.cname; + tx.realm = error.crealm; + tx.sname = Some(error.sname); + tx.error_code = Some(error.error_code); + self.transactions.push(tx); + }); self.req_id = 0; }, _ => { SCLogDebug!("unknown/unsupported tag {}", hdr.tag); }, @@ -214,6 +227,7 @@ impl KRB5Transaction { realm: None, sname: None, etype: None, + error_code: None, id: id, de_state: None, events: std::ptr::null_mut(), diff --git a/rust/src/krb/log.rs b/rust/src/krb/log.rs index 09462395c8..a0768884ba 100644 --- a/rust/src/krb/log.rs +++ b/rust/src/krb/log.rs @@ -24,8 +24,14 @@ use krb::krb5::{KRB5State,KRB5Transaction}; pub extern "C" fn rs_krb5_log_json_response(_state: &mut KRB5State, tx: &mut KRB5Transaction) -> *mut JsonT { let js = Json::object(); - js.set_string("msg_type", &format!("{:?}", tx.msg_type)); - // XXX PrincipalName object should be pretty-printed + match tx.error_code { + Some(c) => { + js.set_string("msg_type", "KRB_ERROR"); + js.set_string("failed_request", &format!("{:?}", tx.msg_type)); + js.set_string("error_code", &format!("{}", c)); + }, + None => { js.set_string("msg_type", &format!("{:?}", tx.msg_type)); }, + } let cname = match tx.cname { Some(ref x) => format!("{}", x), None => "".to_owned(), @@ -34,7 +40,6 @@ pub extern "C" fn rs_krb5_log_json_response(_state: &mut KRB5State, tx: &mut KRB Some(ref x) => format!("{}", x.0), None => "".to_owned(), }; - // XXX PrincipalName object should be pretty-printed let sname = match tx.sname { Some(ref x) => format!("{}", x), None => "".to_owned(),