Not keyword matches in Kerberos requests
I was doing some tests with the following rule:
alert krb5 any any -> any any (msg:"Kerberos 5"; krb5_msg_type:10;)
But I was unable to make it work against the pcap I sent you, which is only a Kerberos request (AS-REQ) and response (AS-REP).
After digging for a while in the code there was discovered that this may happen cause in the https://github.com/OISF/suricata/blob/master/rust/src/krb/krb5.rs#L123 file no transaction is created by Kerberos requests, so they are ignored by any Kerberos keyword (I've also tested with the krb5_sname).
alert krb5 any any -> any any (msg:"Kerberos 5"; krb5_sname; content:"krbtgt"; sid:5; rev:1;)
Thanks for this great software
No data to display