Project

General

Profile

Actions
Copy link

Feature #4876

open

Additional FTP Buffers

Added by Brandon Murphy over 3 years ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
Jeff Lucovsky
Target version:
8.0.0-rc1
Effort:
Difficulty:
Label:

Description

We continue to see popular commodity and APT based malware using FTP as an exfil protocol (https://attack.mitre.org/techniques/T1048/003/). There are currently very few FTP buffers and even signatures as simple as looking for specific usernames require unbuffered content matches, often times increasing the complexity of the rule and making it more prone to FN/FP.

I'd be open to provide feedback on buffers required, though I think a general purpose client -> server buffers of ftp.command, ftp.command_data and server -> client of ftp.completion_code and ftp.reply which match the current logging would be a good improvement.

As a side note - The current ftp-data example contained here https://suricata.readthedocs.io/en/latest/rules/ftp-keywords.html is a bit confusing as it makes use of the `filename:"password"` however, as I understand it, that option can be used in non filestore signatures.

Related issues 4 (4 open0 closed)

Related to Suricata - Feature #4906: ftp: add stream app-layer frame support AssignedOISF DevActions
Related to Suricata - Task #6443: Suricon 2023 brainstormAssignedVictor JulienActions
Related to Suricata - Task #4772: tracking: parity between fields logged and fields available for detectionAssignedVictor JulienActions
Blocked by Suricata - Task #4082: ftp: convert parser to RustIn ProgressJeff LucovskyActions
Actions
Copy link
 #1

Updated by Victor Julien about 3 years ago

  • Related to Feature #4906: ftp: add stream app-layer frame support added
Actions
Copy link
 #2

Updated by Victor Julien about 3 years ago

  • Target version set to 7.0.0-beta1

This should come automatically when #4876 is done.

Actions
Copy link
 #3

Updated by Victor Julien over 2 years ago

  • Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Actions
Copy link
 #4

Updated by Victor Julien over 2 years ago

  • Target version changed from 7.0.0-rc1 to 8.0.0-beta1
Actions
Copy link
 #5

Updated by Philippe Antoine almost 2 years ago

  • Assignee set to OISF Dev

This should come automatically when #4876 is done.

Did you mean another ticket than self referencing this one ?

Actions
Copy link
 #6

Updated by Philippe Antoine almost 2 years ago

You meant #4906 right ?

Actions
Copy link
 #7

Updated by Jason Ish over 1 year ago

  • Related to Task #6443: Suricon 2023 brainstorm added
Actions
Copy link
 #8

Updated by Juliana Fajardini Reichow over 1 year ago

  • Related to Task #4772: tracking: parity between fields logged and fields available for detection added
Actions
Copy link
 #9

Updated by Victor Julien 11 months ago

  • Blocked by Task #4082: ftp: convert parser to Rust added
Actions
Copy link
 #10

Updated by Philippe Antoine 2 months ago

  • Assignee changed from OISF Dev to Jeff Lucovsky

Jeff, looks like you own related tickets

Actions
Copy link
 #11

Updated by Shivani Bhardwaj about 1 month ago

  • Target version changed from 8.0.0-beta1 to 8.0.0-rc1
Actions
Copy link

Also available in: Atom PDF