Actions
Bug #4529
closed
EP
EP
Not keyword matches in Kerberos requests
Bug #4529:
Not keyword matches in Kerberos requests
Affected Versions:
Effort:
Difficulty:
Label:
Description
I was doing some tests with the following rule:
alert krb5 any any -> any any (msg:"Kerberos 5"; krb5_msg_type:10;)
But I was unable to make it work against the pcap I sent you, which is only a Kerberos request (AS-REQ) and response (AS-REP).
After digging for a while in the code there was discovered that this may happen cause in the https://github.com/OISF/suricata/blob/master/rust/src/krb/krb5.rs#L123 file no transaction is created by Kerberos requests, so they are ignored by any Kerberos keyword (I've also tested with the krb5_sname).
alert krb5 any any -> any any (msg:"Kerberos 5"; krb5_sname; content:"krbtgt"; sid:5; rev:1;)
Thanks for this great software
Files
EP Updated by Eloy Pérez over 4 years ago
- File krb5-msg-type-test.pcapng krb5-msg-type-test.pcapng added
- Assignee changed from Pierre Chifflier to Eloy Pérez
Update: it also happens with TGS-REQ and KRB-ERROR messages.
PA Updated by Philippe Antoine about 4 years ago
- Status changed from New to In Review
PA Updated by Philippe Antoine about 4 years ago
- Label Needs backport, Needs backport to 5.0, Needs backport to 6.0 added
JL Updated by Jeff Lucovsky about 4 years ago
- Copied to Bug #5062: Not keyword matches in Kerberos requests added
JL Updated by Jeff Lucovsky about 4 years ago
- Copied to Bug #5063: Not keyword matches in Kerberos requests added
VJ Updated by Victor Julien over 3 years ago
- Label deleted (
Needs backport, Needs backport to 5.0, Needs backport to 6.0)
VJ Updated by Victor Julien over 3 years ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
VJ Updated by Victor Julien about 3 years ago
- Target version changed from 7.0.0-rc1 to 8.0.0-beta1
PA Updated by Philippe Antoine almost 3 years ago
- Status changed from In Review to Closed
- Target version changed from 8.0.0-beta1 to 7.0.0-rc2
Actions