From 087d64ba0179c8cb6f32de0696c0dcdbf43fe4fb Mon Sep 17 00:00:00 2001
From: Korving-F <korving.f@gmail.com>
Date: Mon, 4 Mar 2024 21:44:00 +0200
Subject: [PATCH] Adds Kerberos related Filerules.

---
 .../KeepKerberosCredentialsByExtension.toml          | 12 ++++++++++++
 .../NixKerberos/KeepKerberosCredentialsByName.toml   | 11 +++++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Infrastructure/NixKerberos/KeepKerberosCredentialsByExtension.toml
 create mode 100644 Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Infrastructure/NixKerberos/KeepKerberosCredentialsByName.toml

diff --git a/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Infrastructure/NixKerberos/KeepKerberosCredentialsByExtension.toml b/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Infrastructure/NixKerberos/KeepKerberosCredentialsByExtension.toml
new file mode 100644
index 0000000..15d38e0
--- /dev/null
+++ b/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Infrastructure/NixKerberos/KeepKerberosCredentialsByExtension.toml
@@ -0,0 +1,12 @@
+[[ClassifierRules]]
+EnumerationScope = "FileEnumeration"
+RuleName = "KeepKerberosCredentialsByExtension"
+MatchAction = "Snaffle"
+Description = "Files with these extensions are interesting."
+MatchLocation = "FileExtension"
+WordListType = "Exact"
+MatchLength = 0
+WordList = [
+"\\.keytab",
+"\\.CCACHE"]
+Triage = "Yellow"
\ No newline at end of file
diff --git a/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Infrastructure/NixKerberos/KeepKerberosCredentialsByName.toml b/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Infrastructure/NixKerberos/KeepKerberosCredentialsByName.toml
new file mode 100644
index 0000000..024cc07
--- /dev/null
+++ b/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Infrastructure/NixKerberos/KeepKerberosCredentialsByName.toml
@@ -0,0 +1,11 @@
+[[ClassifierRules]]
+EnumerationScope = "FileEnumeration"
+RuleName = "KeepKerberosCredentialsByName"
+MatchAction = "Snaffle"
+Description = "Files with these names are interesting."
+MatchLocation = "FileName"
+WordListType = "Regex"
+MatchLength = 0
+WordList = [
+"krb5cc_.*"]
+Triage = "Yellow"
\ No newline at end of file