Bug #6283
closedFTP parsing yields in some cases smtp and http event types
Description
Pcap attached.
I stumbled upon this issue when investigating and looking for a specific malware/behavior.
Pcap provided is from https://tria.ge/230822-2ltlvahc41/behavioral1
sudo /opt/suritest-profiling/bin/suricata -S "rules/*.rules" -l logs/ -k none -r TLPW1-ca1fb1ad30189110cc225620dc537368.pcap ; jq -r .event_type logs/eve.json | sort | uniq -c |sort -rn ; Info: conf-yaml-loader: Configuration node 'DC_SERVERS' redefined. [ConfYamlParse:conf-yaml-loader.c:329] Notice: suricata: This is Suricata version 7.0.1-dev (becb8cefc 2023-08-11) running in USER mode [LogVersion:suricata.c:1148] Warning: app-layer-htp: Flash decompression is deprecated and will be removed in Suricata 8; see ticket #6179 [HTPConfigParseParameters:app-layer-htp.c:2908] Notice: threads: Threads created -> RX: 1 W: 16 FM: 1 FR: 1 Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1890] Notice: suricata: Signal Received. Stopping engine. [SuricataMainLoop:suricata.c:2815] Notice: pcap: read 1 file, 487089 packets, 31866396 bytes [ReceivePcapFileThreadExitStats:source-pcap-file.c:388] 124044 flow 85600 ftp 21058 anomaly 528 dns 46 smtp 26 http 9 alert 2 tls 2 ssh 1 stats
There is no SMTP traffic in the pcap (Wireshark also shows no SMTP) , but we have smtp events generated like the below.
{ "timestamp": "2023-08-23T00:42:58.885319+0200", "flow_id": 604785307838067, "event_type": "smtp", "src_ip": "10.127.0.202", "src_port": 50529, "dest_ip": "195.8.223.244", "dest_port": 21, "proto": "TCP", "pkt_src": "stream (flow timeout)", "tx_id": 0, "smtp": {} }
There are also some HTTP events generated like so:
{ "timestamp": "2023-08-23T00:42:58.885319+0200", "flow_id": 1569159803425295, "event_type": "http", "src_ip": "10.127.0.202", "src_port": 54224, "dest_ip": "115.127.132.45", "dest_port": 21, "proto": "TCP", "pkt_src": "stream (flow timeout)", "tx_id": 0, "http": { "url": "/", "http_method": "GET", "protocol": "HTTP/1.1", "length": 0 } }
Also we have lots of anomaly generated events, just for info.
jq 'select(.event_type=="anomaly")' logs/eve.json | jq .anomaly.event | sort -rn | uniq -c | sort -rn 20959 "APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION" 52 "MISSING_HOST_HEADER" 44 "NO_SERVER_WELCOME_MESSAGE" 3 "INVALID_REPLY"
Files
Updated by Philippe Antoine over 1 year ago
- Related to Feature #1125: smtp: improve protocol detection added
Updated by Philippe Antoine 7 months ago
- Status changed from New to Rejected
Thanks Peter, closing as there is nothing new in this ticket :
Also we have lots of anomaly generated events, just for info.
https://github.com/OISF/suricata/pull/11125 improves on this for the APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
ones
There is no SMTP traffic in the pcap (Wireshark also shows no SMTP) , but we have smtp events generated like the below.
This seems a duplicate of #6591 (QUIT pattern)
There are also some HTTP events generated like so:
This is the expected behavior for Wireshark filter tcp.stream eq 1105
TCP stream is client only GET / HTTP/1.1
no answer from server, so this gets classified as HTTP
Updated by Philippe Antoine 7 months ago
- Related to Bug #6591: protodetect: ftp parsed as smtp added