Actions
Bug #6591
openprotodetect: ftp parsed as smtp
Affected Versions:
Effort:
Difficulty:
Label:
Description
Single stream pcap attached (thanks to AnyRun) to reproduce.
In this case the traffic is part of FTP brute force traffic, but it ends up being logged as smtp.
The ftp traffic produces smtp and anomaly logs. Wireshark recognizes it as FTP.
Same behavior in git, 6.0.15 and 7.0.2
suricata --build-info This is Suricata version 8.0.0-dev (9c3ab36af 2023-11-27) Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST SIMD support: SSE_4_2 SSE_4_1 SSE_3 Atomic intrinsics: 1 2 4 8 16 byte(s) 64-bits, Little-endian architecture GCC version 12.3.0, C version 201112 compiled with _FORTIFY_SOURCE=0 L1 cache line size (CLS)=64 thread local storage method: _Thread_local compiled with LibHTP v0.5.45, linked against LibHTP v0.5.45 Suricata Configuration: AF_PACKET support: yes AF_XDP support: no DPDK support: no eBPF support: no XDP support: no PF_RING support: no NFQueue support: no NFLOG support: no IPFW support: no Netmap support: no DAG enabled: no Napatech enabled: no WinDivert enabled: no Unix socket enabled: yes Detection enabled: yes Libmagic support: yes libjansson support: yes hiredis support: no hiredis async with libevent: no PCRE jit: yes LUA support: yes, through luajit libluajit: yes GeoIP2 support: yes Non-bundled htp: no Hyperscan support: yes Libnet support: yes liblz4 support: yes Landlock support: yes Rust support: yes Rust strict mode: yes Rust compiler path: /usr/bin/rustc Rust compiler version: rustc 1.64.0 Cargo path: /usr/bin/cargo Cargo version: cargo 1.65.0 Python support: yes Python path: /home/user/.pyenv/shims/python3 Install suricatactl: yes Install suricatasc: yes Install suricata-update: no, not bundled Profiling enabled: no Profiling locks enabled: no Profiling rules enabled: no Plugin support (experimental): yes DPDK Bond PMD: no Development settings: Coccinelle / spatch: yes Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Fuzz targets enabled: no Generic build parameters: Installation prefix: /opt/suritest-profiling Configuration directory: /opt/suritest-profiling/etc/suricata/ Log directory: /opt/suritest-profiling/var/log/suricata/ --prefix /opt/suritest-profiling --sysconfdir /opt/suritest-profiling/etc --localstatedir /opt/suritest-profiling/var --datarootdir /opt/suritest-profiling/share Host: x86_64-pc-linux-gnu Compiler: gcc (exec name) / g++ (real) GCC Protect enabled: no GCC march native enabled: yes GCC Profile enabled: no Position Independent Executable enabled: no CFLAGS -g -O2 -fPIC -std=c11 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist PCAP_CFLAGS -I/usr/include SECCFLAGS sudo rm logs/* -rf ; sudo suricata -S /dev/null -l logs/ -k none -r TLPW-FTP-single-stream-case.pcap ; echo "Suricata event types:" ; jq -r .event_type logs/eve.json | sort | uniq -c |sort -rn ; echo "Alerts:" ; grep '"event_type":"alert"' logs/eve.json | jq .alert.signature | sort -rn | uniq -c | sort -rn ; Notice: suricata: This is Suricata version 8.0.0-dev (9c3ab36af 2023-11-27) running in USER mode [LogVersion:suricata.c:1146] Warning: app-layer-htp: Flash decompression is deprecated and will be removed in Suricata 8; see ticket #6179 [HTPConfigParseParameters:app-layer-htp.c:2908] Notice: threads: Threads created -> RX: 1 W: 8 FM: 1 FR: 1 Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1891] Notice: suricata: Signal Received. Stopping engine. [SuricataMainLoop:suricata.c:2805] Notice: pcap: read 1 file, 7 packets, 420 bytes [ReceivePcapFileThreadExitStats:source-pcap-file.c:387] Suricata event types: 1 stats 1 smtp 1 flow 1 anomaly grep '"event_type":"anomaly"' logs/eve.json | jq . { "timestamp": "2023-08-23T01:03:05.242369+0200", "flow_id": 478018362181493, "event_type": "anomaly", "src_ip": "10.127.0.202", "src_port": 58121, "dest_ip": "41.225.70.195", "dest_port": 21, "proto": "TCP", "pkt_src": "stream (flow timeout)", "tx_id": 0, "anomaly": { "app_proto": "smtp", "type": "applayer", "event": "NO_SERVER_WELCOME_MESSAGE", "layer": "proto_parser" } } sudo rm logs/* -rf ; sudo /opt/suritest6015/bin/suricata -S /dev/null -l logs/ -k none -r TLPW-FTP-single-stream-case.pcap ; echo "Suricata event types:" ; jq -r .event_type logs/eve.json | sort | uniq -c |sort -rn ; echo "Alerts:" ; grep '"event_type":"alert"' logs/eve.json | jq .alert.signature | sort -rn | uniq -c | sort -rn ; 1/12/2023 -- 12:56:17 - <Notice> - This is Suricata version 6.0.15 RELEASE running in USER mode 1/12/2023 -- 12:56:17 - <Notice> - all 9 packet processing threads, 4 management threads initialized, engine started. 1/12/2023 -- 12:56:17 - <Notice> - Signal Received. Stopping engine. 1/12/2023 -- 12:56:17 - <Notice> - Pcap-file module read 1 files, 7 packets, 420 bytes Suricata event types: 1 stats 1 smtp 1 flow 1 anomaly sudo rm logs/* -rf ; sudo /opt/suritest702/bin/suricata -S /dev/null -l logs/ -k none -r TLPW-FTP-single-stream-case.pcap ; echo "Suricata event types:" ; jq -r .event_type logs/eve.json | sort | uniq -c |sort -rn ; echo "Alerts:" ; grep '"event_type":"alert"' logs/eve.json | jq .alert.signature | sort -rn | uniq -c | sort -rn ; i: suricata: This is Suricata version 7.0.2 RELEASE running in USER mode i: threads: Threads created -> RX: 1 W: 8 FM: 1 FR: 1 Engine started. i: suricata: Signal Received. Stopping engine. i: pcap: read 1 file, 7 packets, 420 bytes Suricata event types: 1 stats 1 smtp 1 flow 1 anomaly
Files
Updated by Victor Julien 12 months ago
- Subject changed from ftp parsed as smtp to protodetect: ftp parsed as smtp
Updated by Victor Julien 12 months ago
- Related to Feature #1125: smtp: improve protocol detection added
Updated by Victor Julien 12 months ago
- Related to Task #2757: improve protocol detection added
Updated by Philippe Antoine 6 months ago
Quick analysis :
QUIT
is registered as a SMTP pattern
Maybe it should be converted to pattern + probing to check for port not being FTP
And have FTP have some pattern + probing as well
Updated by Philippe Antoine 6 months ago
- Related to Bug #6283: FTP parsing yields in some cases smtp and http event types added
Actions