Skip to content

Add RPC and Kerberos modules #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jacobvw wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Add RPC and Kerberos modules #41

jacobvw wants to merge 2 commits into from

Conversation

@jacobvw
Copy link
Contributor

@jacobvw jacobvw commented May 24, 2021

Adds RPC module
Adds Kerberos module
Improves LLDP module when using multi byte lengths

salcock
salcock reviewed Jun 20, 2021
View reviewed changes
lib/tcp/lpi_kerberos.cc
LPI_PROTO_KERBEROS,
LPI_CATEGORY_KEY_EXCHANGE,
"Kerberos",
200,
Copy link
Contributor

@salcock salcock Jun 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this rule is so weak, I think the priority should be set to 250 just so it is run after any other possible matches.

salcock
salcock reviewed Jun 20, 2021
View reviewed changes
lib/tcp/lpi_kerberos.cc

/* Quite a weak rule, first 4 bytes of kerberos is the record length which
* is spread over multiple packets */

Copy link
Contributor

@salcock salcock Jun 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we also add a check that if the value of data->payload[x] < 1400, then it must match data->payload_size[x]? Or can small records still be spread across multiple packets?

Just trying to think of ways where we can rule out certain payload patterns that might just happen to be on port 88 -- very unlikely, I know, but anything to make this rule seem a bit stronger...

salcock
salcock requested changes Jun 20, 2021
View reviewed changes
Copy link
Contributor

@salcock salcock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See inline comments on the kerberos module.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@salcock salcock salcock requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jacobvw @salcock