Project

General

Profile

Actions
Copy link

Feature #5247

open

Applayer Detect protocol only one direction : RTSP protocol

Added by Miles Müncher about 2 years ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

I run Suricata on MacOS:

# suricata -i en6 -F filter.bpf -v

filter.bpf limits the traffic to a single IP address:

host 192.168.1.19

fast.log shows an alert:

04/06/2022-11:45:39.142492 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.19:64527 -> 192.168.1.178:7000

However, the traffic contains both directions. See attached PCAP.

I have reported this issue at forum.suricata.io (https://forum.suricata.io/t/applayer-detect-protocol-only-one-direction/2371/2) and Andrea Herz was able to reproduce it.

Files

port7000.pcapng (3.75 KB) port7000.pcapng PCAP Miles Müncher, 04/09/2022 08:02 AM
Actions
Copy link
 #1

Updated by Philippe Antoine 6 months ago

  • Tracker changed from Bug to Feature
  • Subject changed from Applayer Detect protocol only one direction to Applayer Detect protocol only one direction : RTSP protocol
  • Affected Versions deleted (6.0.4)

This works as expected.
Suricata recognizes HTTP from the client side, but not from the server side, as it is RTSP and not HTTP

Actions
Copy link

Also available in: Atom PDF