Problem identifying originator in Kerberos connections

Hello all,

I have been working with Kerberos in bro for a bit, and a problem I am consistently having is that for some reason with Kerberos packets, Bro cannot correctly identify the correct originator IP address in kerberos.log. It appears that the response packets are having their orig_h and resp_h values (and corresponding ports) swapped, so all connections made in the transfer are incorrectly identified as having the same originating IP address.

Is this a known issue? Am I doing something wrong? Looking at the packets in wireshark correctly identifies them.

Thanks,
Peter

Hi Peter,

This is not a known issue, so I’d like to figure out what you’re seeing and fix any problems. If you could share a few log lines exhibiting this behavior, that’d be very helpful (any IP addresses, usernames, etc. can be redacted or modified as long as the issue is still clear).

There are actually two Kerberos analyzers - one for TCP and one for UDP. TCP should be a bit more reliable, but for UDP who the originator is and who the responder is is simply an educated guess. The guess is mainly based off of the port numbers - if a packet is going to 88/udp, it’s assumed to be from the originator to the responder.

Both the request and response packets will be written out as a single log line, with the same originator and responder. This is consistent with other Bro logs - the originator and responder don’t refer to the packet, but to the transaction as a whole. Loosely speaking, the originator can be thought of as “the host that sent the request,” while the responder is “the host that replied to the request.”

–Vlad