hi Suricata Team,
I am testing suricata 7.0.9 and seeing that pop3 is recognized as FTP by suricata 7.0.9.
I found the below threads online, which is related to suricata 7.0.1, is this issue still relavant for suricata 7.0.9 ?
I have attached the packet captures of the pop3 flow from my testing.
threads regarding pop3 identified as FTP.
sample pop3 capture from my test
pop3.pcapng (445.1 KB)
Date: 6/9/2025 β 13:30:30 (uptime: 0d, 00h 08m 00s)
Counter | TM Name | Value
ips.accepted | Total | 40
ips.blocked | Total | 28
ips.drop_reason.flow_drop | Total | 24
ips.drop_reason.applayer_error | Total | 4
capture.kernel_packets | Total | 68
capture.afpacket.polls | Total | 47669
capture.afpacket.poll_timeout | Total | 47602
capture.afpacket.poll_data | Total | 67
decoder.pkts | Total | 68
decoder.bytes | Total | 4956
decoder.ipv4 | Total | 68
decoder.ethernet | Total | 68
decoder.tcp | Total | 68
tcp.syn | Total | 4
tcp.synack | Total | 4
tcp.rst | Total | 8
decoder.vlan | Total | 68
decoder.avg_pkt_size | Total | 72
decoder.max_pkt_size | Total | 127
tcp.active_sessions | Total | 4
flow.total | Total | 4
flow.active | Total | 4
flow.tcp | Total | 4
flow.wrk.spare_sync_avg | Total | 100
flow.wrk.spare_sync | Total | 3
tcp.sessions | Total | 4
tcp.ssn_from_pool | Total | 4
tcp.segment_from_cache | Total | 23
tcp.segment_from_pool | Total | 9
app_layer.flow.ftp | Total | 4
app_layer.tx.ftp | Total | 16
app_layer.error.ftp.parser | Total | 4
flow.mgr.full_hash_pass | Total | 86
flow.mgr.rows_per_sec | Total | 11796
flow.spare | Total | 9700
flow.mgr.rows_maxlen | Total | 1
flow.mgr.flows_checked | Total | 4
flow.mgr.flows_notimeout | Total | 4
memcap_pressure | Total | 18
memcap_pressure_max | Total | 18
tcp.memuse | Total | 6225920
tcp.reassembly_memuse | Total | 1146880
ftp.memuse | Total | 892
flow.memuse | Total | 7154304
thanks in advance
Cherish