Project

General

Profile

Actions

Bug #2528

closed

krb parser not always parsing tgs responses

Added by Jason Taylor over 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I am testing out the krb5 parser and I am seeing what appear to be
inconsistent results.

One pcap (krb5.good.pcap) parses out the tgs response in the json log.

The second pcap (krb5.bad.pcap) doesn't parse out the tgs response in
the json log.

Attached are the logs from the suricata runs, build info and pcaps.

After some initial troubleshooting in IRC, victorj/pollux said it looks like there is an issue in krb5 parser as well as possibly something additional in suricata.


Files

suri.outinfo.txt (2.32 KB) suri.outinfo.txt Jason Taylor, 07/10/2018 05:06 PM
krb5.sample.zip (14.7 KB) krb5.sample.zip Jason Taylor, 07/10/2018 05:06 PM
suri.buildinfo.txt (3.38 KB) suri.buildinfo.txt Jason Taylor, 07/10/2018 05:06 PM
Actions #1

Updated by Victor Julien over 6 years ago

  • Status changed from New to Assigned
  • Assignee set to Pierre Chifflier
  • Target version set to TBD
  • Affected Versions 4.1beta1 added
  • Affected Versions deleted (4.0beta1)
Actions #2

Updated by Pierre Chifflier about 6 years ago

Hi,
Thanks for the report and the pcaps.

The cause of this issue is the probing parser being a bit too strict, and not matching fragmented request packets.
A fix will be proposed soon.

Actions #3

Updated by Victor Julien about 6 years ago

  • Status changed from Assigned to Closed
  • Target version changed from TBD to 4.1.1
  • Affected Versions 4.1 added
  • Affected Versions deleted (4.1beta1)
Actions #4

Updated by Victor Julien about 6 years ago

@Jason Borden Taylor: could you turn this into a suricata-verify test?

Actions #5

Updated by Jason Taylor about 6 years ago

Thanks Pierre!

Victor, sure I will get a PR done for that.

Actions

Also available in: Atom PDF