Bug #2528
closed
krb parser not always parsing tgs responses
Added by Jason Taylor over 6 years ago.
Updated about 6 years ago.
Description
I am testing out the krb5 parser and I am seeing what appear to be
inconsistent results.
One pcap (krb5.good.pcap) parses out the tgs response in the json log.
The second pcap (krb5.bad.pcap) doesn't parse out the tgs response in
the json log.
Attached are the logs from the suricata runs, build info and pcaps.
After some initial troubleshooting in IRC, victorj/pollux said it looks like there is an issue in krb5 parser as well as possibly something additional in suricata.
Files
- Status changed from New to Assigned
- Assignee set to Pierre Chifflier
- Target version set to TBD
- Affected Versions 4.1beta1 added
- Affected Versions deleted (
4.0beta1)
Hi,
Thanks for the report and the pcaps.
The cause of this issue is the probing parser being a bit too strict, and not matching fragmented request packets.
A fix will be proposed soon.
- Status changed from Assigned to Closed
- Target version changed from TBD to 4.1.1
- Affected Versions 4.1 added
- Affected Versions deleted (
4.1beta1)
@Jason Borden Taylor: could you turn this into a suricata-verify test?
Thanks Pierre!
Victor, sure I will get a PR done for that.
Also available in: Atom
PDF