Bug #5490
open
Applayer Detect protocol only one direction - NFS
Added by Orion Poplawski almost 3 years ago.
Updated 21 days ago.
Description
Some NFS traffic generates the following alert:
[**] [1:324000010:1] SURICATA Applayer Detect protocol only one direction (non-SMTP) [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}
The attached pcap file triggers it.
Files
- Status changed from New to Feedback
Not reproducing with Suricata 8, are you ?
Well, near as I can tell, rule 324000010 is no longer present in suricata 7.0.8. Related is:
app-layer-events.rules:alert ip any any -> any any (msg:"SURICATA Applayer Detect protocol only one direction"; flow:established; app-layer-event:applayer_detect_protocol_only_one_direction; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260002; rev:1;)
which I have disabled at the moment, presumably due to false positive though I can't find any notes on it at the moment. Perhaps I'll re-enable and see what happens.
Also available in: Atom
PDF