This is because `krb5_sname` only works to client.
The doc 8.26. Kerberos Keywords — Suricata 9.0.0-dev documentation states
Kerberos server name, provided in the ticket (for AS-REQ and TGS-REQ messages) or in the error message.
But it looks to only work for the error message, as enforced by SV test krb5-request-frag-log
I think this is a bug and fix would be simply
diff --git a/src/detect-krb5-sname.c b/src/detect-krb5-sname.c
index 3cbe6185bb..93c499cda2 100644
--- a/src/detect-krb5-sname.c
+++ b/src/detect-krb5-sname.c
@@ -62,6 +62,8 @@ void DetectKrb5SNameRegister(void)
DetectAppLayerMultiRegister(
"krb5_sname", ALPROTO_KRB5, SIG_FLAG_TOCLIENT, 1, SCKrb5TxGetSname, 2);
+ DetectAppLayerMultiRegister(
+ "krb5_sname", ALPROTO_KRB5, SIG_FLAG_TOSERVER, 1, SCKrb5TxGetSname, 2);
DetectBufferTypeSetDescriptionByName("krb5_sname",
"Kerberos 5 ticket server name");