Suricata 7.0.1 POP3 seen as FTP protocol

atbohmer · October 3, 2023, 9:53am

Hi,
Looking for EXIM related traffic if found some records with tcp dest port 110 but intepreted as FTP protocol. ftp.reply, at least suricata thinks it is a ftp reply, looks like " +OK, Return-Path:" but is seems as a POP3 stream.
Cheers,
Andre

vjulien · October 3, 2023, 10:36am

Work is being done to improve this, see

github.com/OISF/suricata

Pop3 protocol detection 6366 v1

OISF:master ← catenacyber:pop3-protocol-detection-6366-v1

opened 08:11AM - 19 Sep 23 UTC

catenacyber

+38 -2

Link to [redmine](https://redmine.openinfosecfoundation.org/projects/suricata/is…sues) ticket: https://redmine.openinfosecfoundation.org/issues/6366 Describe changes: - pop3 protocol detection ### Provide values to any of the below to override the defaults. https://github.com/OISF/suricata-verify/pull/1389 ``` SV_BRANCH=pr/1389 ``` First preliminary part for https://github.com/OISF/suricata/pull/8892 and https://redmine.openinfosecfoundation.org/issues/1125 This will require a QA rebaseline After that : - QA baseline is wrong because of counting IRC flows on port 5432 as pgsql because pgsql probing parser to client accepts anything - See first commits of #8892 about generic protocol detection and see if we can craft tests to identify these bugs - Make eve.json stats field about flows match the count of flow with app_proto because of so many corner cases - Add FTP and SMTP server side detection

Topic		Replies	Views
Can suricata recognize ftp-data protocols? Rules	10	1187	November 18, 2022
Some FTP event appeared when i detect POP3 Help	0	617	June 5, 2020
Application detection and duplicate TCP/SYN Help	6	1263	September 1, 2022
Protocols are not recognized Help	10	1820	August 1, 2022
Testing ssh related rules Rules rules	1	238	April 4, 2024

Suricata 7.0.1 POP3 seen as FTP protocol

Related topics