Skip to content

Comments

Pop3 protocol detection 6366 v3#9874

Closed
catenacyber wants to merge 2 commits intoOISF:masterfrom
catenacyber:pop3-protocol-detection-6366-v3
Closed

Pop3 protocol detection 6366 v3#9874
catenacyber wants to merge 2 commits intoOISF:masterfrom
catenacyber:pop3-protocol-detection-6366-v3

Conversation

@catenacyber
Copy link
Contributor

@catenacyber catenacyber commented Nov 23, 2023

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/6366

Describe changes:

  • pop3 protocol detection

OISF/suricata-verify#1481

SV_BRANCH=pr/1481

Needed Rebase of #9836

First preliminary part for #8892 and https://redmine.openinfosecfoundation.org/issues/1125

This will require a QA rebaseline

After that :

  • QA baseline is wrong because of counting IRC flows on port 5432 as pgsql because pgsql probing parser to client accepts anything
  • See first commits of Smtp server detection 1125 v17 #8892 about generic protocol detection and see if we can craft tests to identify these bugs
  • Make eve.json stats field about flows match the count of flow with app_proto because of so many corner cases
  • Add FTP and SMTP server side detection

@catenacyber catenacyber mentioned this pull request Nov 23, 2023
Closed
@codecov
Copy link

codecov bot commented Nov 23, 2023

Codecov Report

Merging #9874 (49de8f8) into master (41c0526) will decrease coverage by 0.02%.
The diff coverage is 71.42%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #9874      +/-   ##
==========================================
- Coverage   82.45%   82.44%   -0.02%     
==========================================
  Files         973      973              
  Lines      273063   273073      +10     
==========================================
- Hits       225155   225130      -25     
- Misses      47908    47943      +35
Flag Coverage Δ
fuzzcorpus 64.37% <71.42%> (+0.01%) ⬆️
suricata-verify 61.06% <71.42%> (-0.03%) ⬇️
unittests 62.91% <50.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

suricata-qa commented Nov 23, 2023

WARNING:

ERROR: QA failed on IPS_AFP_drop_chk.

field baseline test %
SURI_TLPW1_stats_chk
.app_layer.flow.ftp 52 43 82.69%
.app_layer.tx.ftp 819 188 22.95%
.app_layer.error.ftp.gap 2 0 -
.app_layer.error.ftp.parser 2 0 -
.ftp.memuse 348 3 0.86%
SURI_TLPR1_stats_chk
.ftp.memuse 11408 10660 93.44%
IPS_AFP_stats_chk
.ips.blocked 1395360 747360 53.56%
.ips.drop_reason.flow_drop 1296000 680400 52.5%
.ips.drop_reason.applayer_error 32400 0 -
.flow.end.state.established 583199 550799 94.44%
.flow.end.tcp_state.established 201960 169560 83.96%
.app_layer.flow.ftp 33480 1080 3.23%
.app_layer.tx.ftp 131760 2160 1.64%
.app_layer.error.ftp.parser 32400 0 -
TREX_GENERIC_stats_chk
.app_layer.flow.ftp 14871 0 -
.app_layer.tx.ftp 59484 0 -
.app_layer.error.ftp.parser 14871 0 -

Pipeline 16705

@catenacyber catenacyber mentioned this pull request Feb 12, 2024
Closed
@catenacyber
Copy link
Contributor Author

catenacyber commented Feb 12, 2024

Rebased in #10373

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jufajardini jufajardini Awaiting requested review from jufajardini

@victorjulien victorjulien Awaiting requested review from victorjulien

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@catenacyber @suricata-qa