Bug #6283: FTP parsing yields in some cases smtp and http event types - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #6283

open

FTP parsing yields in some cases smtp and http event types

Added by Peter Manev 8 months ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Affected Versions:

git master

Effort:

Difficulty:

Label:

Description

Pcap attached.
I stumbled upon this issue when investigating and looking for a specific malware/behavior.

Pcap provided is from https://tria.ge/230822-2ltlvahc41/behavioral1

sudo /opt/suritest-profiling/bin/suricata  -S "rules/*.rules"  -l logs/  -k none -r TLPW1-ca1fb1ad30189110cc225620dc537368.pcap ;  jq -r .event_type logs/eve.json | sort | uniq -c |sort -rn ; 
Info: conf-yaml-loader: Configuration node 'DC_SERVERS' redefined. [ConfYamlParse:conf-yaml-loader.c:329]
Notice: suricata: This is Suricata version 7.0.1-dev (becb8cefc 2023-08-11) running in USER mode [LogVersion:suricata.c:1148]
Warning: app-layer-htp: Flash decompression is deprecated and will be removed in Suricata 8; see ticket #6179 [HTPConfigParseParameters:app-layer-htp.c:2908]
Notice: threads: Threads created -> RX: 1 W: 16 FM: 1 FR: 1   Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1890]
Notice: suricata: Signal Received.  Stopping engine. [SuricataMainLoop:suricata.c:2815]
Notice: pcap: read 1 file, 487089 packets, 31866396 bytes [ReceivePcapFileThreadExitStats:source-pcap-file.c:388]
 124044 flow
  85600 ftp
  21058 anomaly
    528 dns
     46 smtp
     26 http
      9 alert
      2 tls
      2 ssh
      1 stats

There is no SMTP traffic in the pcap (Wireshark also shows no SMTP) , but we have smtp events generated like the below.

{
  "timestamp": "2023-08-23T00:42:58.885319+0200",
  "flow_id": 604785307838067,
  "event_type": "smtp",
  "src_ip": "10.127.0.202",
  "src_port": 50529,
  "dest_ip": "195.8.223.244",
  "dest_port": 21,
  "proto": "TCP",
  "pkt_src": "stream (flow timeout)",
  "tx_id": 0,
  "smtp": {}
}

There are also some HTTP events generated like so:

{
  "timestamp": "2023-08-23T00:42:58.885319+0200",
  "flow_id": 1569159803425295,
  "event_type": "http",
  "src_ip": "10.127.0.202",
  "src_port": 54224,
  "dest_ip": "115.127.132.45",
  "dest_port": 21,
  "proto": "TCP",
  "pkt_src": "stream (flow timeout)",
  "tx_id": 0,
  "http": {
    "url": "/",
    "http_method": "GET",
    "protocol": "HTTP/1.1",
    "length": 0
  }
}

Also we have lots of anomaly generated events, just for info.

jq 'select(.event_type=="anomaly")' logs/eve.json | jq .anomaly.event | sort -rn | uniq -c | sort -rn 
  20959 "APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION" 
     52 "MISSING_HOST_HEADER" 
     44 "NO_SERVER_WELCOME_MESSAGE" 
      3 "INVALID_REPLY"

Files

TLPW1-ca1fb1ad30189110cc225620dc537368.tar.xz (7.26 MB) TLPW1-ca1fb1ad30189110cc225620dc537368.tar.xz

Peter Manev, 08/29/2023 07:39 AM

Related issues 1 (1 open — 0 closed)