Project

General

Profile

Actions

Bug #4529

open

Not keyword matches in Kerberos requests

Added by Eloy Pérez over 1 year ago. Updated about 2 months ago.

Status:
In Review
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I was doing some tests with the following rule:

alert krb5 any any -> any any (msg:"Kerberos 5"; krb5_msg_type:10;)

But I was unable to make it work against the pcap I sent you, which is only a Kerberos request (AS-REQ) and response (AS-REP).

After digging for a while in the code there was discovered that this may happen cause in the https://github.com/OISF/suricata/blob/master/rust/src/krb/krb5.rs#L123 file no transaction is created by Kerberos requests, so they are ignored by any Kerberos keyword (I've also tested with the krb5_sname).

alert krb5 any any -> any any (msg:"Kerberos 5"; krb5_sname; content:"krbtgt"; sid:5; rev:1;)

Thanks for this great software


Files

as-rep-as-req.pcapng (2.64 KB) as-rep-as-req.pcapng Eloy Pérez, 06/15/2021 02:45 PM
krb5-msg-type-test.pcapng (16 KB) krb5-msg-type-test.pcapng Eloy Pérez, 10/21/2021 10:20 AM

Related issues 2 (0 open2 closed)

Copied to Bug #5062: Not keyword matches in Kerberos requestsClosedShivani BhardwajActions
Copied to Bug #5063: Not keyword matches in Kerberos requestsClosedJeff LucovskyActions
Actions #1

Updated by Eloy Pérez 11 months ago

Update: it also happens with TGS-REQ and KRB-ERROR messages.

Actions #2

Updated by Philippe Antoine 9 months ago

  • Status changed from New to In Review
Actions #3

Updated by Philippe Antoine 8 months ago

  • Label Needs backport, Needs backport to 5.0, Needs backport to 6.0 added
Actions #4

Updated by Jeff Lucovsky 8 months ago

  • Copied to Bug #5062: Not keyword matches in Kerberos requests added
Actions #5

Updated by Jeff Lucovsky 8 months ago

  • Copied to Bug #5063: Not keyword matches in Kerberos requests added
Actions #6

Updated by Victor Julien about 2 months ago

  • Label deleted (Needs backport, Needs backport to 5.0, Needs backport to 6.0)
Actions

Also available in: Atom PDF