Bug #5492: Applayer Detect protocol only one direction - Kerberos - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #5492

open

Applayer Detect protocol only one direction - Kerberos

Added by Orion Poplawski over 1 year ago. Updated 5 months ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Affected Versions:

6.0.4

Effort:

Difficulty:

Label:

Description

Some kerberos traffic between a Synology NAS and a Windows Active directory controller generates the following alert:

[**] [1:324000010:1] SURICATA Applayer Detect protocol only one direction (non-SMTP) [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}

I can reproduce it with the attached pcap file.

Files

kerberos.pcap.xz (23.9 KB) kerberos.pcap.xz

Orion Poplawski, 08/09/2022 02:59 PM

History
Notes

Actions

Copy link

Updated by Philippe Antoine 5 months ago

Confirmed : rs_krb5_probing_parser only works for ASN1/BER whose length is less than 128 bytes

cf check of rem[2],rem[3],rem[4]

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #5492

Applayer Detect protocol only one direction - Kerberos

Updated by Philippe Antoine 5 months ago