Skip to content

Smtp server detection 1125 v12#8448

Closed
catenacyber wants to merge 3 commits intoOISF:masterfrom
catenacyber:smtp-server-detection-1125-v12
Closed

Smtp server detection 1125 v12#8448
catenacyber wants to merge 3 commits intoOISF:masterfrom
catenacyber:smtp-server-detection-1125-v12

Conversation

@catenacyber
Copy link
Contributor

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/1125

Describe changes:

  • smtp : adds server side detection
  • ftp : adds server side detection
  • protocoldetect: use stricter max depth

The most special trick is that the (server) probing parser waits for the client side to have seen some data to take a definitive positive decision.
So that If it looks like a SMTP server (it could be a FTP server), let's see if the client looks like SMTP or FTP or something unknown...

Modifies #8327 by rebasing to rerun rebased QA

I wonder if SMTP parser should also relax its condition to set state->parser_state |= SMTP_PARSER_STATE_FIRST_REPLY_SEEN;

For probing parsers used with a pattern, restrict the max depth
to these probing parsers and not all probing parsers.

Finishing protocol detection earlier allows to parse data earlier
in the case we recognize only one side.
@codecov
Copy link

codecov bot commented Jan 25, 2023

Codecov Report

Merging #8448 (7f3f653) into master (416f752) will increase coverage by 0.08%.
The diff coverage is 80.00%.

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #8448      +/-   ##
==========================================
+ Coverage   81.85%   81.93%   +0.08%     
==========================================
  Files         963      963              
  Lines      278400   278487      +87     
==========================================
+ Hits       227890   228191     +301     
+ Misses      50510    50296     -214     
Flag Coverage Δ
fuzzcorpus 64.20% <84.44%> (+0.25%) ⬆️
suricata-verify 59.55% <68.88%> (+0.01%) ⬆️
unittests 63.45% <46.40%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

WARNING:

ERROR: QA failed on SURI_TLPW1_files_sha256.

field baseline test %
SURI_TLPW2_single_stats_chk
.tcp.ssn_from_cache 264554 339167 128.2%
.tcp.ssn_from_pool 628437 553824 88.13%
SURI_TLPW2_autofp_stats_chk
.tcp.ssn_from_cache 298547 378708 126.85%
.tcp.ssn_from_pool 594444 514283 86.51%
SURI_TLPW1_stats_chk
.tcp.ssn_from_cache 63596 79173 124.49%
.tcp.ssn_from_pool 139220 123643 88.81%
.tcp.rst 128116 113690 88.74%
.app_layer.tx.ftp 647 222 34.31%
.app_layer.error.ftp.gap 2 1 50.0%
.app_layer.error.ftp.parser 2 3 150.0%
.app_layer.error.dns_udp.parser 1276 0 -
.ftp.memuse 862 5 0.58%
SURI_TLPR1_stats_chk
.flow.memuse 580947328 535160896 92.12%
.tcp.ssn_from_cache 3644947 6063284 166.35%
.tcp.ssn_from_pool 8484810 6066445 71.5%
.tcp.synack 7538139 10192852 135.22%
.tcp.rst 5264608 6723331 127.71%
.app_layer.error.ftp-data.gap 0 1 -
.app_layer.error.dns_udp.parser 28003 0 -
.http.memuse 16440 2104 12.8%
.ftp.memuse 13827 2669 19.3%
IPS_AFP_stats_chk
.tcp.segment_from_pool 17089689 15758309 92.21%
.app_layer.flow.ftp 33480 1080 3.23%
.app_layer.tx.ftp 131760 99360 75.41%
TREX_GENERIC_stats_chk
.app_layer.flow.ftp 18444 0 -
.app_layer.tx.ftp 73776 55332 75.0%

Pipeline 12051

@catenacyber
Copy link
Contributor Author

@ct0br0 could you provide me with a pcap with one (or more) flows that are recognized as FTP by master, and not by this PR ?

@catenacyber catenacyber added this to the 8.0 milestone Jan 30, 2023
@catenacyber
Copy link
Contributor Author

Replaced by #8512

@catenacyber catenacyber closed this Feb 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants