Project

General

Profile

Actions

Bug #6283

closed

FTP parsing yields in some cases smtp and http event types

Added by Peter Manev over 1 year ago. Updated 7 months ago.

Status:
Rejected
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Pcap attached.
I stumbled upon this issue when investigating and looking for a specific malware/behavior.

Pcap provided is from https://tria.ge/230822-2ltlvahc41/behavioral1

sudo /opt/suritest-profiling/bin/suricata  -S "rules/*.rules"  -l logs/  -k none -r TLPW1-ca1fb1ad30189110cc225620dc537368.pcap ;  jq -r .event_type logs/eve.json | sort | uniq -c |sort -rn ; 
Info: conf-yaml-loader: Configuration node 'DC_SERVERS' redefined. [ConfYamlParse:conf-yaml-loader.c:329]
Notice: suricata: This is Suricata version 7.0.1-dev (becb8cefc 2023-08-11) running in USER mode [LogVersion:suricata.c:1148]
Warning: app-layer-htp: Flash decompression is deprecated and will be removed in Suricata 8; see ticket #6179 [HTPConfigParseParameters:app-layer-htp.c:2908]
Notice: threads: Threads created -> RX: 1 W: 16 FM: 1 FR: 1   Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1890]
Notice: suricata: Signal Received.  Stopping engine. [SuricataMainLoop:suricata.c:2815]
Notice: pcap: read 1 file, 487089 packets, 31866396 bytes [ReceivePcapFileThreadExitStats:source-pcap-file.c:388]
 124044 flow
  85600 ftp
  21058 anomaly
    528 dns
     46 smtp
     26 http
      9 alert
      2 tls
      2 ssh
      1 stats

There is no SMTP traffic in the pcap (Wireshark also shows no SMTP) , but we have smtp events generated like the below.

{
  "timestamp": "2023-08-23T00:42:58.885319+0200",
  "flow_id": 604785307838067,
  "event_type": "smtp",
  "src_ip": "10.127.0.202",
  "src_port": 50529,
  "dest_ip": "195.8.223.244",
  "dest_port": 21,
  "proto": "TCP",
  "pkt_src": "stream (flow timeout)",
  "tx_id": 0,
  "smtp": {}
}

There are also some HTTP events generated like so:

{
  "timestamp": "2023-08-23T00:42:58.885319+0200",
  "flow_id": 1569159803425295,
  "event_type": "http",
  "src_ip": "10.127.0.202",
  "src_port": 54224,
  "dest_ip": "115.127.132.45",
  "dest_port": 21,
  "proto": "TCP",
  "pkt_src": "stream (flow timeout)",
  "tx_id": 0,
  "http": {
    "url": "/",
    "http_method": "GET",
    "protocol": "HTTP/1.1",
    "length": 0
  }
}

Also we have lots of anomaly generated events, just for info.

jq 'select(.event_type=="anomaly")' logs/eve.json | jq .anomaly.event | sort -rn | uniq -c | sort -rn 
  20959 "APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION" 
     52 "MISSING_HOST_HEADER" 
     44 "NO_SERVER_WELCOME_MESSAGE" 
      3 "INVALID_REPLY" 


Files


Related issues 2 (1 open1 closed)

Related to Suricata - Feature #1125: smtp: improve protocol detectionClosedPhilippe AntoineActions
Related to Suricata - Bug #6591: protodetect: ftp parsed as smtpNewOISF DevActions
Actions #1

Updated by Philippe Antoine over 1 year ago

  • Related to Feature #1125: smtp: improve protocol detection added
Actions #2

Updated by Philippe Antoine 7 months ago

  • Status changed from New to Rejected

Thanks Peter, closing as there is nothing new in this ticket :

Also we have lots of anomaly generated events, just for info.

https://github.com/OISF/suricata/pull/11125 improves on this for the APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION ones

There is no SMTP traffic in the pcap (Wireshark also shows no SMTP) , but we have smtp events generated like the below.

This seems a duplicate of #6591 (QUIT pattern)

There are also some HTTP events generated like so:

This is the expected behavior for Wireshark filter tcp.stream eq 1105
TCP stream is client only GET / HTTP/1.1 no answer from server, so this gets classified as HTTP

Actions #3

Updated by Philippe Antoine 7 months ago

  • Related to Bug #6591: protodetect: ftp parsed as smtp added
Actions

Also available in: Atom PDF