Project

General

Profile

Actions

Bug #5492

open

Applayer Detect protocol only one direction - Kerberos

Added by Orion Poplawski about 3 years ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Beginner, Good First Issue, Needs Suricata-Verify test, Protocol, Rust

Description

Some kerberos traffic between a Synology NAS and a Windows Active directory controller generates the following alert:

[**] [1:324000010:1] SURICATA Applayer Detect protocol only one direction (non-SMTP) [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}

I can reproduce it with the attached pcap file.


Files

kerberos.pcap.xz (23.9 KB) kerberos.pcap.xz Orion Poplawski, 08/09/2022 02:59 PM
Actions #1

Updated by Philippe Antoine almost 2 years ago

Confirmed : rs_krb5_probing_parser only works for ASN1/BER whose length is less than 128 bytes

cf check of rem[2],rem[3],rem[4]

Actions #2

Updated by Philippe Antoine about 1 month ago

  • Affected Versions 8.0.0 added
  • Affected Versions deleted (6.0.4)
Actions #3

Updated by Philippe Antoine about 1 month ago

  • Label Beginner, Good First Issue, Needs Suricata-Verify test, Protocol, Rust added
Actions

Also available in: Atom PDF