Bug #3728
closedftp file extraction failure
Description
test:suricata -c suricata.yaml -r ftp.pcap.
when I use single thread,this question will not appear,but if I use workers runmodes and use multiple threads,it is easy to appear.
I see that code what is processing this,find that ftp_data app-layer is detected by ftp app-layer "AppLayerExpectationCreate" function。if ftp app-layer don't come at here,ftp_data is processed by another thread will not detected.because this function "AppLayerExpectationHandle" can't get ftp_data app-layer protocol.So,another thread can't correctly parse ftp_data packets.
Files
XL Updated by xinfeng lee almost 6 years ago
xinfeng lee wrote:
test:suricata -c suricata.yaml -r ftp.pcap.
when I use single thread,this question will not appear,but if I use pcap runmodes autofp or use multiple threads,it is easy to appear.
I see that code what is processing this,find that ftp_data app-layer is detected by ftp app-layer "AppLayerExpectationCreate" function。if ftp app-layer don't come at here,ftp_data is processed by another thread will not detected.because this function "AppLayerExpectationHandle" can't get ftp_data app-layer protocol.So,another thread can't correctly parse ftp_data packets.
VJ Updated by Victor Julien over 5 years ago
- Status changed from New to Feedback
- Target version changed from 70 to TBD
An Suricata-Verify test case to show the issue would be great.
YZ Updated by yida zhang about 5 years ago
- File ftp-store-txt.pcapng ftp-store-txt.pcapng added
Yes, here is a sample.
We are solving this problem. A plan has been realized, and the test results are good so far.
VJ Updated by Victor Julien almost 4 years ago
- Related to Bug #5205: FTP-data unrecognized depending on multi-threading added
VJ Updated by Victor Julien almost 4 years ago
- Related to Bug #4539: ftp-data protocol not detected in autofp runmode added
PA Updated by Philippe Antoine over 3 years ago
- Status changed from Feedback to Closed
Tracked in #5205