Suricata 7.0.1 POP3 seen as FTP protocol

atbohmer · October 3, 2023, 9:53am

Hi,
Looking for EXIM related traffic if found some records with tcp dest port 110 but intepreted as FTP protocol. ftp.reply, at least suricata thinks it is a ftp reply, looks like " +OK, Return-Path:" but is seems as a POP3 stream.
Cheers,
Andre

vjulien · October 3, 2023, 10:36am

Work is being done to improve this, see

github.com/OISF/suricata

Pop3 protocol detection 6366 v1

OISF:master ← catenacyber:pop3-protocol-detection-6366-v1

opened 08:11AM - 19 Sep 23 UTC

catenacyber

+38 -2

Link to [redmine](https://redmine.openinfosecfoundation.org/projects/suricata/is…sues) ticket: https://redmine.openinfosecfoundation.org/issues/6366 Describe changes: - pop3 protocol detection ### Provide values to any of the below to override the defaults. https://github.com/OISF/suricata-verify/pull/1389 ``` SV_BRANCH=pr/1389 ``` First preliminary part for https://github.com/OISF/suricata/pull/8892 and https://redmine.openinfosecfoundation.org/issues/1125 This will require a QA rebaseline After that : - QA baseline is wrong because of counting IRC flows on port 5432 as pgsql because pgsql probing parser to client accepts anything - See first commits of #8892 about generic protocol detection and see if we can craft tests to identify these bugs - Make eve.json stats field about flows match the count of flow with app_proto because of so many corner cases - Add FTP and SMTP server side detection

Topic		Replies	Views
Can suricata recognize ftp-data protocols? Rules	10	1011	November 18, 2022
Application detection and duplicate TCP/SYN Help	6	1027	September 1, 2022
Protocols are not recognized Help	10	1565	August 1, 2022
Generic Protocol Command Decode Help	13	12672	March 13, 2021
Not recognizing protocols, only flow Help centos	5	485	November 1, 2021

Suricata 7.0.1 POP3 seen as FTP protocol

Related Topics