Bug #5492: Applayer Detect protocol only one direction - Kerberos - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #5492

open

Applayer Detect protocol only one direction - Kerberos

Added by Orion Poplawski about 3 years ago. Updated about 1 month ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Affected Versions:

8.0.0

Effort:

Difficulty:

Label:

Beginner, Good First Issue, Needs Suricata-Verify test, Protocol, Rust

Description

Some kerberos traffic between a Synology NAS and a Windows Active directory controller generates the following alert:

[**] [1:324000010:1] SURICATA Applayer Detect protocol only one direction (non-SMTP) [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}

I can reproduce it with the attached pcap file.

Files

kerberos.pcap.xz (23.9 KB) kerberos.pcap.xz

Orion Poplawski, 08/09/2022 02:59 PM

Actions

Copy link

Updated by Philippe Antoine almost 2 years ago

Confirmed : rs_krb5_probing_parser only works for ASN1/BER whose length is less than 128 bytes

cf check of rem[2],rem[3],rem[4]

Actions

Copy link

Updated by Philippe Antoine about 1 month ago

Affected Versions 8.0.0 added
Affected Versions deleted (~~6.0.4~~)

Actions

Copy link

Updated by Philippe Antoine about 1 month ago

Label Beginner, Good First Issue, Needs Suricata-Verify test, Protocol, Rust added

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #5492

Applayer Detect protocol only one direction - Kerberos

Updated by Philippe Antoine almost 2 years ago

Updated by Philippe Antoine about 1 month ago

Updated by Philippe Antoine about 1 month ago