Project

General

Profile

Actions

Bug #2886

open

IMAP fail to register app layer protocol detection

Added by Allen Ma over 3 years ago. Updated almost 3 years ago.

Status:
New
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
low
Label:
Beginner, Protocol

Description

I tried both reading offline pcap file and capturing imap packet lively, but failed.
The same testing methods are used to test POP3 successfully, which I extend on my own version.

1.reading offline pcap file, I've attached the ones I tested.
sudo suricata -c ~/suricata/suricata.yaml -r ~/pcap/imap/imap_aliyun_outlook_short.pcapng -k none --init-errors-fatal

2.captuing imap packets lively.
sudo suricata -c ~/suricata/suricata.yaml -i eno16777736 --init-errors-fatal

/** IMAP */
AppLayerProtoDetectRegisterProtocol(ALPROTO_IMAP, "imap");
if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", "imap")) {
// Is AppLayerProtoDetectPMRegisterPatternCS OK as it's case-sensitive? Will it detect upper-cased CAPABILITY?
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_IMAP,
"1|20|capability", 12, 0, STREAM_TOSERVER) < 0) {
SCLogInfo("imap proto registration failure\n");
exit(EXIT_FAILURE);
}
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
"imap");
}

Files

imap-ssl.pcapng (9.91 KB) imap-ssl.pcapng Allen Ma, 03/18/2019 04:38 AM
imap.cap (30.7 KB) imap.cap Allen Ma, 03/18/2019 04:38 AM
Actions

Also available in: Atom PDF