Project

General

Profile

Actions
Copy link

Bug #5490

closed

Applayer Detect protocol only one direction - NFS

Added by Orion Poplawski about 3 years ago. Updated about 3 hours ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
6.0.4
Effort:
Difficulty:
Label:

Description

Some NFS traffic generates the following alert:

[**] [1:324000010:1] SURICATA Applayer Detect protocol only one direction (non-SMTP) [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}

The attached pcap file triggers it.

Files

nfs.pcap.xz (22.2 KB) nfs.pcap.xz Orion Poplawski, 08/08/2022 09:01 PM
Actions
Copy link
 #1

Updated by Philippe Antoine about 1 month ago

  • Status changed from New to Feedback

Not reproducing with Suricata 8, are you ?

Actions
Copy link
 #2

Updated by Philippe Antoine about 1 month ago

Neither with 7.0.11

Actions
Copy link
 #3

Updated by Orion Poplawski about 1 month ago

Well, near as I can tell, rule 324000010 is no longer present in suricata 7.0.8. Related is:

app-layer-events.rules:alert ip any any -> any any (msg:"SURICATA Applayer Detect protocol only one direction"; flow:established; app-layer-event:applayer_detect_protocol_only_one_direction; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260002; rev:1;)

which I have disabled at the moment, presumably due to false positive though I can't find any notes on it at the moment. Perhaps I'll re-enable and see what happens.

Actions
Copy link
 #4

Updated by Philippe Antoine about 3 hours ago

  • Status changed from Feedback to Closed

Ok, so closing this issue for now

Feel free to reopen (or open a new issue) if you have new data

Actions
Copy link

Also available in: Atom PDF