Bug #2169
closed
dns/tcp: reponse traffic leads to 'app_proto_tc: failed'
Added by Victor Julien over 7 years ago.
Updated over 7 years ago.
Description
Triggers "SURICATA Applayer Mismatch protocol both directions"
Tested with Rust, can provide pcap offline.
Only happens with Rust it seems.
This occurs when the probe function is called without all the data for the request or response. For TCP, the probe will fail if the amount of data is less than the length specified in the header.
The fix is to just remove this check. Strip the length, and if data is left pass to the normal probe function that will fail if there is not enough data to complete the probe.
- Status changed from Assigned to Closed
- Target version changed from 70 to 4.0.0
Also available in: Atom
PDF