Actions
Bug #5140
opennfs: NFS3/NFS2 procedure conflict
Affected Versions:
Effort:
Difficulty:
Label:
Beginner, Good First Issue, Needs Suricata-Verify test, Protocol, Rust
Description
an NFS2 procedure "STATFS" is being logged as an NFS3 "READDIRPLUS"
since both have the same proc_num: 17 but no distinguished proc_name for NFS2
{"flow_id":397357320141328,"pcap_cnt":12,"event_type":"nfs","src_ip":"139.25.22.102","src_port":2049,"dest_ip":"139.25.22.2","dest_port":1023,"proto":"UDP","rpc":{"xid":1578961813,"status":"ACCEPTED","auth_type":"UNIX","creds":{"machine_name":"werrmsche","uid":0,"gid":0}},"nfs":{"version":2,"procedure":"READDIRPLUS","filename":"","id":2,"file_tx":false,"type":"response","status":"OK"}}
Pcap file: nfsv2.pcap | https://redmine.openinfosecfoundation.org/issues/3277
Files
Updated by Philippe Antoine 9 days ago
- Status changed from New to Feedback
- Label Needs Suricata-Verify test added
Could you share the pcap to reproduce please ?
Actions
#2
Updated by Sam Mohammad 9 days ago
- File nfsv2.pcap nfsv2.pcap added
- File nfs3-READDIRPLUS.pcap nfs3-READDIRPLUS.pcap added
AFAIR the conflict was logging { proc_num: 17 } for nfsv2 with the same name of nfs3 { proc_num: 17 } which is READDIRPLUS .
while nfsv2 { proc_num: 17 } is actually STATFS .
Updated by Philippe Antoine 9 days ago
- Affected Versions 8.0.0 added
Looks to be still a problem from the code not handling diff between v2 and v3
let proc_string = if state.nfs_version < 4 {
nfs3_procedure_string(tx.procedure)
Updated by Philippe Antoine 8 days ago
- Label Beginner, Good First Issue, Protocol, Rust added
Actions