Bug #2528
closedkrb parser not always parsing tgs responses
Description
I am testing out the krb5 parser and I am seeing what appear to be
inconsistent results.
One pcap (krb5.good.pcap) parses out the tgs response in the json log.
The second pcap (krb5.bad.pcap) doesn't parse out the tgs response in
the json log.
Attached are the logs from the suricata runs, build info and pcaps.
After some initial troubleshooting in IRC, victorj/pollux said it looks like there is an issue in krb5 parser as well as possibly something additional in suricata.
Files
Updated by Victor Julien over 6 years ago
- Status changed from New to Assigned
- Assignee set to Pierre Chifflier
- Target version set to TBD
- Affected Versions 4.1beta1 added
- Affected Versions deleted (
4.0beta1)
Updated by Pierre Chifflier about 6 years ago
Hi,
Thanks for the report and the pcaps.
The cause of this issue is the probing parser being a bit too strict, and not matching fragmented request packets.
A fix will be proposed soon.
Updated by Victor Julien about 6 years ago
- Status changed from Assigned to Closed
- Target version changed from TBD to 4.1.1
- Affected Versions 4.1 added
- Affected Versions deleted (
4.1beta1)
Updated by Victor Julien about 6 years ago
@Jason Borden Taylor: could you turn this into a suricata-verify test?
Updated by Jason Taylor about 6 years ago
Thanks Pierre!
Victor, sure I will get a PR done for that.