Project

General

Profile

Actions

Bug #5492

open

Applayer Detect protocol only one direction - Kerberos

Added by Orion Poplawski over 2 years ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Some kerberos traffic between a Synology NAS and a Windows Active directory controller generates the following alert:

[**] [1:324000010:1] SURICATA Applayer Detect protocol only one direction (non-SMTP) [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}

I can reproduce it with the attached pcap file.


Files

kerberos.pcap.xz (23.9 KB) kerberos.pcap.xz Orion Poplawski, 08/09/2022 02:59 PM
Actions #1

Updated by Philippe Antoine about 1 year ago

Confirmed : rs_krb5_probing_parser only works for ASN1/BER whose length is less than 128 bytes

cf check of rem[2],rem[3],rem[4]

Actions

Also available in: Atom PDF