Actions
Feature #1125
closed
VJ
PA
smtp: improve protocol detection
Feature #1125:
smtp: improve protocol detection
Added by Victor Julien about 12 years ago. Updated almost 2 years ago.
Effort:
Difficulty:
Label:
Description
Currently SMTP is only detected if the client starts the conversation with HELO, EHLO or QUIT.
The server stream is not used for protocol detection.
VJ Updated by Victor Julien over 10 years ago Actions #1
- Target version changed from 3.0RC2 to 70
VJ Updated by Victor Julien almost 8 years ago Actions #2
- Assignee changed from Tom DeCanio to OISF Dev
VJ Updated by Victor Julien over 7 years ago Actions #3
- Blocked by Feature #2572: extend protocol detection to specify flow direction added
VJ Updated by Victor Julien over 7 years ago Actions #4
- Priority changed from Normal to High
VJ Updated by Victor Julien over 7 years ago Actions #5
- Related to Task #2757: tracking: improve protocol detection added
VJ Updated by Victor Julien about 7 years ago Actions #6
- Priority changed from High to Normal
- Target version changed from 70 to 5.0beta1
VJ Updated by Victor Julien about 7 years ago Actions #7
- Priority changed from Normal to High
VJ Updated by Victor Julien about 7 years ago Actions #8
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Philippe Antoine
- Priority changed from High to Normal
VJ Updated by Victor Julien about 7 years ago Actions #9
- Target version changed from 5.0beta1 to 5.0rc1
PA Updated by Philippe Antoine almost 7 years ago Actions #10
- Related to Bug #2978: IRC traffic parsed by FTP added
VJ Updated by Victor Julien over 6 years ago Actions #11
- Target version changed from 5.0rc1 to 6.0.0beta1
PA Updated by Philippe Antoine about 6 years ago Actions #12
- Related to deleted (Task #2757: tracking: improve protocol detection)
PA Updated by Philippe Antoine about 6 years ago Actions #13
- Blocked by Task #2757: tracking: improve protocol detection added
PA Updated by Philippe Antoine about 6 years ago Actions #14
- Status changed from Assigned to Feedback
Waiting first for feedback on other related tickets
PA Updated by Philippe Antoine almost 6 years ago Actions #15
Waiting for feedback on https://redmine.openinfosecfoundation.org/issues/2757 before upgrading
https://github.com/OISF/suricata/pull/3832
https://github.com/OISF/suricata-verify/pull/53
VJ Updated by Victor Julien over 5 years ago Actions #16
- Target version changed from 6.0.0beta1 to 7.0.0-beta1
PA Updated by Philippe Antoine almost 4 years ago Actions #17
Both FTP and SMTP start with 220 from server (followed by either space or hyphen)
For SMTP, it is then supposed to be a valid domain name.
But there is no restriction for FTP
There can be (E)SMTP or FTP in the banner...
We can use the ports.
And we can maybe mark this detection as weak, so that client side detection overrides it...
PA Updated by Philippe Antoine almost 4 years ago Actions #18
- Status changed from Feedback to In Review
PA Updated by Philippe Antoine almost 4 years ago Actions #19
- Blocked by deleted (Task #2757: tracking: improve protocol detection)
PA Updated by Philippe Antoine almost 4 years ago Actions #20
- Related to Task #2757: tracking: improve protocol detection added
PA Updated by Philippe Antoine over 3 years ago Actions #21
- Priority changed from Normal to Low
VJ Updated by Victor Julien over 3 years ago Actions #22
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
PA Updated by Philippe Antoine over 3 years ago Actions #23
- Blocked by Bug #5769: Incomplete values for .stats."app_layer".flow.proto added
VJ Updated by Victor Julien about 3 years ago Actions #24
- Target version changed from 7.0.0-rc1 to 8.0.0-beta1
PA Updated by Philippe Antoine over 2 years ago Actions #25
- Related to Bug #6283: FTP parsing yields in some cases smtp and http event types added
PA Updated by Philippe Antoine over 2 years ago Actions #26
- Related to Feature #6366: pop3: protocol detection added
PA Updated by Philippe Antoine over 2 years ago Actions #27
- Target version changed from 8.0.0-beta1 to TBD
VJ Updated by Victor Julien over 2 years ago Actions #28
- Related to Bug #6591: protodetect: ftp parsed as smtp added
PA Updated by Philippe Antoine almost 2 years ago Actions #29
- Target version changed from TBD to 8.0.0-beta1
PA Updated by Philippe Antoine almost 2 years ago Actions #30
- Status changed from In Review to Closed
Actions