Project

General

Profile

Actions

Feature #5247

open

Applayer Detect protocol only one direction : RTSP protocol

Added by Miles Müncher over 2 years ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

I run Suricata on MacOS:

# suricata -i en6 -F filter.bpf -v

filter.bpf limits the traffic to a single IP address:

host 192.168.1.19

fast.log shows an alert:

04/06/2022-11:45:39.142492 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.19:64527 -> 192.168.1.178:7000

However, the traffic contains both directions. See attached PCAP.

I have reported this issue at forum.suricata.io (https://forum.suricata.io/t/applayer-detect-protocol-only-one-direction/2371/2) and Andrea Herz was able to reproduce it.


Files

port7000.pcapng (3.75 KB) port7000.pcapng PCAP Miles Müncher, 04/09/2022 08:02 AM
Actions #1

Updated by Philippe Antoine about 1 year ago

  • Tracker changed from Bug to Feature
  • Subject changed from Applayer Detect protocol only one direction to Applayer Detect protocol only one direction : RTSP protocol
  • Affected Versions deleted (6.0.4)

This works as expected.
Suricata recognizes HTTP from the client side, but not from the server side, as it is RTSP and not HTTP

Actions

Also available in: Atom PDF