Project

General

Profile

Actions
Copy link

Feature #5247

closed
MM OD

Applayer Detect protocol only one direction : RTSP protocol

Feature #5247: Applayer Detect protocol only one direction : RTSP protocol

Added by Miles Müncher almost 4 years ago. Updated about 1 year ago.

Status:
Rejected
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

I run Suricata on MacOS:

# suricata -i en6 -F filter.bpf -v

filter.bpf limits the traffic to a single IP address:

host 192.168.1.19

fast.log shows an alert:

04/06/2022-11:45:39.142492 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.19:64527 -> 192.168.1.178:7000

However, the traffic contains both directions. See attached PCAP.

I have reported this issue at forum.suricata.io (https://forum.suricata.io/t/applayer-detect-protocol-only-one-direction/2371/2) and Andrea Herz was able to reproduce it.

Files

port7000.pcapng (3.75 KB) port7000.pcapng PCAP Miles Müncher, 04/09/2022 08:02 AM

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
 #1

  • Tracker changed from Bug to Feature
  • Subject changed from Applayer Detect protocol only one direction to Applayer Detect protocol only one direction : RTSP protocol
  • Affected Versions deleted (6.0.4)

This works as expected.
Suricata recognizes HTTP from the client side, but not from the server side, as it is RTSP and not HTTP

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
 #2

  • Status changed from New to Rejected

Working as expected, let us know if you have more feedback about it

Actions
Copy link

Also available in: PDF Atom