Project

General

Profile

Actions

Bug #6591

open

protodetect: ftp parsed as smtp

Added by Peter Manev 11 months ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Single stream pcap attached (thanks to AnyRun) to reproduce.
In this case the traffic is part of FTP brute force traffic, but it ends up being logged as smtp.
The ftp traffic produces smtp and anomaly logs. Wireshark recognizes it as FTP.
Same behavior in git, 6.0.15 and 7.0.2

suricata --build-info
This is Suricata version 8.0.0-dev (9c3ab36af 2023-11-27)
Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST 
SIMD support: SSE_4_2 SSE_4_1 SSE_3 
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 12.3.0, C version 201112
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.45, linked against LibHTP v0.5.45

Suricata Configuration:
  AF_PACKET support:                       yes
  AF_XDP support:                          no
  DPDK support:                            no
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no 
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libjansson support:                      yes
  hiredis support:                         no
  hiredis async with libevent:             no
  PCRE jit:                                yes
  LUA support:                             yes, through luajit
  libluajit:                               yes
  GeoIP2 support:                          yes
  Non-bundled htp:                         no
  Hyperscan support:                       yes
  Libnet support:                          yes
  liblz4 support:                          yes
  Landlock support:                        yes

  Rust support:                            yes
  Rust strict mode:                        yes
  Rust compiler path:                      /usr/bin/rustc
  Rust compiler version:                   rustc 1.64.0
  Cargo path:                              /usr/bin/cargo
  Cargo version:                           cargo 1.65.0

  Python support:                          yes
  Python path:                             /home/user/.pyenv/shims/python3
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 no, not bundled

  Profiling enabled:                       no
  Profiling locks enabled:                 no
  Profiling rules enabled:                 no

  Plugin support (experimental):           yes
  DPDK Bond PMD:                           no

Development settings:
  Coccinelle / spatch:                     yes
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Fuzz targets enabled:                    no

Generic build parameters:
  Installation prefix:                     /opt/suritest-profiling
  Configuration directory:                 /opt/suritest-profiling/etc/suricata/
  Log directory:                           /opt/suritest-profiling/var/log/suricata/

  --prefix                                 /opt/suritest-profiling
  --sysconfdir                             /opt/suritest-profiling/etc
  --localstatedir                          /opt/suritest-profiling/var
  --datarootdir                            /opt/suritest-profiling/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                gcc (exec name) / g++ (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2 -fPIC -std=c11 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
  PCAP_CFLAGS                               -I/usr/include
  SECCFLAGS                                

sudo rm logs/* -rf ; sudo suricata  -S /dev/null  -l logs/ -k none -r TLPW-FTP-single-stream-case.pcap ;  echo "Suricata event types:" ; jq -r .event_type logs/eve.json | sort | uniq -c |sort -rn ; echo "Alerts:" ; grep '"event_type":"alert"' logs/eve.json | jq .alert.signature | sort -rn | uniq -c | sort -rn ;

Notice: suricata: This is Suricata version 8.0.0-dev (9c3ab36af 2023-11-27) running in USER mode [LogVersion:suricata.c:1146]
Warning: app-layer-htp: Flash decompression is deprecated and will be removed in Suricata 8; see ticket #6179 [HTPConfigParseParameters:app-layer-htp.c:2908]
Notice: threads: Threads created -> RX: 1 W: 8 FM: 1 FR: 1   Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1891]
Notice: suricata: Signal Received.  Stopping engine. [SuricataMainLoop:suricata.c:2805]
Notice: pcap: read 1 file, 7 packets, 420 bytes [ReceivePcapFileThreadExitStats:source-pcap-file.c:387]
Suricata event types:
      1 stats
      1 smtp
      1 flow
      1 anomaly

grep '"event_type":"anomaly"' logs/eve.json | jq . 
{
  "timestamp": "2023-08-23T01:03:05.242369+0200",
  "flow_id": 478018362181493,
  "event_type": "anomaly",
  "src_ip": "10.127.0.202",
  "src_port": 58121,
  "dest_ip": "41.225.70.195",
  "dest_port": 21,
  "proto": "TCP",
  "pkt_src": "stream (flow timeout)",
  "tx_id": 0,
  "anomaly": {
    "app_proto": "smtp",
    "type": "applayer",
    "event": "NO_SERVER_WELCOME_MESSAGE",
    "layer": "proto_parser" 
  }
}

sudo rm logs/* -rf ; sudo /opt/suritest6015/bin/suricata  -S /dev/null  -l logs/ -k none -r TLPW-FTP-single-stream-case.pcap ;  echo "Suricata event types:" ; jq -r .event_type logs/eve.json | sort | uniq -c |sort -rn ; echo "Alerts:" ; grep '"event_type":"alert"' logs/eve.json | jq .alert.signature | sort -rn | uniq -c | sort -rn ;

1/12/2023 -- 12:56:17 - <Notice> - This is Suricata version 6.0.15 RELEASE running in USER mode
1/12/2023 -- 12:56:17 - <Notice> - all 9 packet processing threads, 4 management threads initialized, engine started.
1/12/2023 -- 12:56:17 - <Notice> - Signal Received.  Stopping engine.
1/12/2023 -- 12:56:17 - <Notice> - Pcap-file module read 1 files, 7 packets, 420 bytes
Suricata event types:
      1 stats
      1 smtp
      1 flow
      1 anomaly

sudo rm logs/* -rf ; sudo /opt/suritest702/bin/suricata  -S /dev/null  -l logs/ -k none -r TLPW-FTP-single-stream-case.pcap ;  echo "Suricata event types:" ; jq -r .event_type logs/eve.json | sort | uniq -c |sort -rn ; echo "Alerts:" ; grep '"event_type":"alert"' logs/eve.json | jq .alert.signature | sort -rn | uniq -c | sort -rn ;
i: suricata: This is Suricata version 7.0.2 RELEASE running in USER mode
i: threads: Threads created -> RX: 1 W: 8 FM: 1 FR: 1   Engine started.
i: suricata: Signal Received.  Stopping engine.
i: pcap: read 1 file, 7 packets, 420 bytes
Suricata event types:
      1 stats
      1 smtp
      1 flow
      1 anomaly


Files

TLPW-FTP-single-stream-case.pcap (556 Bytes) TLPW-FTP-single-stream-case.pcap Peter Manev, 12/01/2023 11:59 AM

Related issues 3 (1 open2 closed)

Related to Suricata - Feature #1125: smtp: improve protocol detectionClosedPhilippe AntoineActions
Related to Suricata - Task #2757: improve protocol detectionIn ReviewPhilippe AntoineActions
Related to Suricata - Bug #6283: FTP parsing yields in some cases smtp and http event typesRejectedOISF DevActions
Actions

Also available in: Atom PDF