Project

General

Profile

Bug #2809

Updated by Victor Julien almost 6 years ago

We're seeing lots of "SURICATA Applayer Mismatch protocol both directions" alerts for kerberos traffic. 

 <pre> 
 {"timestamp":"2019-02-11T14:56:33.675504-0700","flow_id":1956838363997715,"pcap_cnt":6,"event_type":"alert","src_ip":"72.52.192.72","src_port":35920,"dest_ip":"10.0.1.110","dest_port":88,"proto":"TCP","metadata":{"flowints":{"applayer.anomaly.count":1}},"alert":{"action":"allowed","gid":1,"signature_id":2260000,"rev":1,"signature":"SURICATA Applayer Mismatch protocol both directions","category":"Generic Protocol Command Decode","severity":3},"app_proto":"krb5","app_proto_tc":"failed","flow":{"pkts_toserver":4,"pkts_toclient":2,"bytes_toserver":467,"bytes_toclient":327,"start":"2019-02-11T14:56:33.566803-0700"}} 
 {"timestamp":"2019-02-11T14:56:33.675504-0700","flow_id":1956838363997715,"pcap_cnt":6,"event_type":"krb5","src_ip":"72.52.192.72","src_port":35920,"dest_ip":"10.0.1.110","dest_port":88,"proto":"TCP","metadata":{"flowints":{"applayer.anomaly.count":1}},"krb5":{"msg_type":"KRB_ERROR","failed_request":"KRB_AS_REQ","error_code":"KDC_ERR_PREAUTH_REQUIRED","cname":"<empty>","realm":"<empty>","sname":"krbtgt\/AD.NWRA.COM","encryption":"<none>","weak_encryption":false}} 
 {"timestamp":"2019-02-11T14:56:33.676044-0700","flow_id":1956838363997715,"event_type":"flow","src_ip":"72.52.192.72","src_port":35920,"dest_ip":"10.0.1.110","dest_port":88,"proto":"TCP","app_proto":"krb5","app_proto_tc":"failed","flow":{"pkts_toserver":5,"pkts_toclient":4,"bytes_toserver":533,"bytes_toclient":453,"start":"2019-02-11T14:56:33.566803-0700","end":"2019-02-11T14:56:33.676044-0700","age":0,"state":"closed","reason":"shutdown","alerted":true},"metadata":{"flowints":{"applayer.anomaly.count":1}},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1b","tcp_flags_tc":"1e","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} 
 {"timestamp":"2019-02-11T15:10:19.736983-0700","event_type":"stats","stats":{"uptime":0,"decoder":{"pkts":9,"bytes":986,"invalid":0,"ipv4":9,"ipv6":0,"ethernet":9,"raw":0,"null":0,"sll":0,"tcp":9,"udp":0,"sctp":0,"icmpv4":0,"icmpv6":0,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"ieee8021ah":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":109,"max_pkt_size":261,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"tcp":1,"udp":0,"icmpv4":0,"icmpv6":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7234608},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":1,"ssn_memcap_drop":0,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":1,"synack":1,"rst":1,"midstream_pickups":0,"pkt_on_wrong_thread":0,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":0,"overlap":0,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":4849664,"reassembly_memuse":786432},"detect":{"engines":[{"id":0,"last_reload":"2019-02-11T15:10:19.663131-0700","rules_loaded":6,"rules_failed":0}],"alert":1},"app_layer":{"flow":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"nfs_tcp":0,"ntp":0,"ftp-data":0,"tftp":0,"ikev2":0,"krb5_tcp":1,"dhcp":0,"failed_tcp":0,"dcerpc_udp":0,"dns_udp":0,"nfs_udp":0,"krb5_udp":0,"failed_udp":0},"tx":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"nfs_tcp":0,"ftp-data":0,"krb5_tcp":1,"dcerpc_udp":0,"dns_udp":0,"nfs_udp":0,"ntp":0,"tftp":0,"ikev2":0,"krb5_udp":0,"dhcp":0},"expectations":0},"flow_mgr":{"closed_pruned":0,"new_pruned":0,"est_pruned":0,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":0,"memcap_state":0,"memcap_global":0},"http":{"memuse":0,"memcap":0},"ftp":{"memuse":0,"memcap":0}}} 
 </pre>

Back