Coverage Report

Created: 2026-01-16 07:00

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/suricata7/src/detect-krb5-ticket-encryption.c
Line
Count
Source
1
/* Copyright (C) 2022 Open Information Security Foundation
2
 *
3
 * You can copy, redistribute or modify this Program under the terms of
4
 * the GNU General Public License version 2 as published by the Free
5
 * Software Foundation.
6
 *
7
 * This program is distributed in the hope that it will be useful,
8
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
10
 * GNU General Public License for more details.
11
 *
12
 * You should have received a copy of the GNU General Public License
13
 * version 2 along with this program; if not, write to the Free Software
14
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15
 * 02110-1301, USA.
16
 */
17
18
#include "suricata-common.h"
19
#include "rust.h"
20
21
#include "detect-krb5-ticket-encryption.h"
22
23
#include "detect-engine.h"
24
#include "detect-parse.h"
25
26
static int g_krb5_ticket_encryption_list_id = 0;
27
28
static void DetectKrb5TicketEncryptionFree(DetectEngineCtx *de_ctx, void *ptr)
29
6.32k
{
30
6.32k
    rs_krb5_detect_encryption_free(ptr);
31
6.32k
}
32
33
static int DetectKrb5TicketEncryptionMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags,
34
        void *state, void *txv, const Signature *s, const SigMatchCtx *ctx)
35
4
{
36
4
    const DetectKrb5TicketEncryptionData *dd = (const DetectKrb5TicketEncryptionData *)ctx;
37
38
4
    SCEnter();
39
40
4
    SCReturnInt(rs_krb5_detect_encryption_match(txv, dd));
41
4
}
42
43
static int DetectKrb5TicketEncryptionSetup(
44
        DetectEngineCtx *de_ctx, Signature *s, const char *krb5str)
45
2.33k
{
46
2.33k
    DetectKrb5TicketEncryptionData *krb5d = NULL;
47
2.33k
    SigMatch *sm = NULL;
48
49
2.33k
    if (DetectSignatureSetAppProto(s, ALPROTO_KRB5) != 0)
50
4
        return -1;
51
52
2.33k
    krb5d = rs_krb5_detect_encryption_parse(krb5str);
53
2.33k
    if (krb5d == NULL)
54
1.07k
        goto error;
55
56
1.25k
    sm = SigMatchAlloc();
57
1.25k
    if (sm == NULL)
58
0
        goto error;
59
60
1.25k
    sm->type = DETECT_AL_KRB5_TICKET_ENCRYPTION;
61
1.25k
    sm->ctx = (void *)krb5d;
62
63
1.25k
    SigMatchAppendSMToList(s, sm, g_krb5_ticket_encryption_list_id);
64
65
1.25k
    return 0;
66
67
1.07k
error:
68
1.07k
    if (krb5d != NULL)
69
0
        DetectKrb5TicketEncryptionFree(de_ctx, krb5d);
70
1.07k
    if (sm != NULL)
71
0
        SCFree(sm);
72
1.07k
    return -1;
73
1.25k
}
74
75
void DetectKrb5TicketEncryptionRegister(void)
76
73
{
77
73
    sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].name = "krb5.ticket_encryption";
78
73
    sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].desc = "match Kerberos 5 ticket encryption";
79
73
    sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].url =
80
73
            "/rules/kerberos-keywords.html#krb5-ticket-encryption";
81
73
    sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].Match = NULL;
82
73
    sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].AppLayerTxMatch =
83
73
            DetectKrb5TicketEncryptionMatch;
84
73
    sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].Setup = DetectKrb5TicketEncryptionSetup;
85
73
    sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].Free = DetectKrb5TicketEncryptionFree;
86
87
    // Tickets are only from server to client
88
73
    DetectAppLayerInspectEngineRegister2("krb5_ticket_encryption", ALPROTO_KRB5, SIG_FLAG_TOCLIENT,
89
73
            0, DetectEngineInspectGenericList, NULL);
90
91
73
    g_krb5_ticket_encryption_list_id = DetectBufferTypeRegister("krb5_ticket_encryption");
92
73
    SCLogDebug("g_krb5_ticket_encryption_list_id %d", g_krb5_ticket_encryption_list_id);
93
73
}