Project

General

Profile

Bug #2528

krb parser not always parsing tgs responses

Added by Jason Taylor over 1 year ago. Updated 10 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I am testing out the krb5 parser and I am seeing what appear to be
inconsistent results.

One pcap (krb5.good.pcap) parses out the tgs response in the json log.

The second pcap (krb5.bad.pcap) doesn't parse out the tgs response in
the json log.

Attached are the logs from the suricata runs, build info and pcaps.

After some initial troubleshooting in IRC, victorj/pollux said it looks like there is an issue in krb5 parser as well as possibly something additional in suricata.


Files

suri.outinfo.txt (2.32 KB) suri.outinfo.txt Jason Taylor, 07/10/2018 05:06 PM
krb5.sample.zip (14.7 KB) krb5.sample.zip Jason Taylor, 07/10/2018 05:06 PM
suri.buildinfo.txt (3.38 KB) suri.buildinfo.txt Jason Taylor, 07/10/2018 05:06 PM

History

#1

Updated by Victor Julien over 1 year ago

  • Status changed from New to Assigned
  • Assignee set to Pierre Chifflier
  • Target version set to TBD
  • Affected Versions 4.1beta1 added
  • Affected Versions deleted (4.0beta1)
#2

Updated by Pierre Chifflier 10 months ago

Hi,
Thanks for the report and the pcaps.

The cause of this issue is the probing parser being a bit too strict, and not matching fragmented request packets.
A fix will be proposed soon.

#3

Updated by Victor Julien 10 months ago

  • Status changed from Assigned to Closed
  • Target version changed from TBD to 4.1.1
  • Affected Versions 4.1 added
  • Affected Versions deleted (4.1beta1)
#4

Updated by Victor Julien 10 months ago

Jason Borden Taylor: could you turn this into a suricata-verify test?

#5

Updated by Jason Taylor 10 months ago

Thanks Pierre!

Victor, sure I will get a PR done for that.

Also available in: Atom PDF