suricata version 5.0.3
test pcap:
smtp_pop3_imap.pcap (38.1 KB)
event result file:
eve.json (18.0 KB)
suricata.yaml
vars:
port-groups:
FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
i found some POP3 packets detected as FTP.
{"timestamp":"2020-06-05T09:15:26.236743+0800","flow_id":1039882930516431,"in_iface":"eth8","event_type":"ftp","src_ip":"127.0.0.1","src_port":48621,"dest_ip":"127.0.0.1","dest_port":49678,"proto":"TCP","tx_id":0,"ftp":{"reply":["+OK POP3"],"completion_code":[],"reply_received":"yes"}}
it is looks wrong.