Bug #7709
closedpop3: parse error blocks sessions
Description
Remove all the rules and only one udp will be retained, and the email will not be received.
Files
VJ Updated by Victor Julien 11 months ago
- Status changed from New to Feedback
- Priority changed from High to Normal
- Target version changed from 8.0.0 to 8.0.0-rc1
Please add more detail about the test setup, the expected results, the actual results.
If possible add a pcap based test case.
JY Updated by jun yuan 11 months ago ยท Edited
- File stop.pcapng stop.pcapng added
- File run.pcapng run.pcapng added
pc -- vm -- emailserver
vm run suricata in IPS mode
configure Pop3 port 110 to receive mail on PC
results:
suricata v6 Normal reception
suricata v8 Email not received
stop.pacpng means stop running suricata
run.pacpng means running suricata on vm
VJ Updated by Victor Julien 11 months ago
- Priority changed from High to Normal
@junyuan can you please leave the priority at normal. Priorities are set by the team.
JY Updated by jun yuan 11 months ago
- File stop.pcapng added
- File run.pcapng added
Victor Julien wrote in #note-3:
Please add more detail about the test setup, the expected results, the actual results.
If possible add a pcap based test case.
pop3: Use version 8.0, configure pop3 port 110, and no emails can be received
Is there any progress in this issue?
pc -- vm -- emailserver
vm run suricata in IPS mode
configure Pop3 port 110 to receive mail on PC
results:
suricata v6 Normal reception
suricata v8 Email not received
stop.pacpng means stop running suricata
run.pacpng means running suricata on vm
JL Updated by Jeff Lucovsky 11 months ago
- File deleted (
run.pcapng)
JL Updated by Jeff Lucovsky 11 months ago
- File deleted (
stop.pcapng)
JL Updated by Jeff Lucovsky 11 months ago
I deleted the 2nd set of pcaps -- they are identical to the original set.
PA Updated by Philippe Antoine 11 months ago
Maybe disabling pop3 parser in suricata.yaml may help
PA Updated by Philippe Antoine 11 months ago
- Target version changed from 8.0.0-rc1 to 9.0.0-beta1
PA Updated by Philippe Antoine 8 months ago
Why did you set to in progress ? Are you working on it ?
PA Updated by Philippe Antoine 8 months ago
- Affected Versions 8.0.0 added
Ok, I see the bug stop.pcapng has an app-layer-parser error on the pop3 traffic see jq .stats.app_layer.error.pop3 log/eve.json
JY Updated by jun yuan 8 months ago
- Status changed from In Progress to Feedback
Philippe Antoine wrote in #note-21:
Ok, I see the bug stop.pcapng has an app-layer-parser error on the pop3 traffic see
jq .stats.app_layer.error.pop3 log/eve.json
I have temporarily modified it using this method:
https://github.com/OISF/suricata/pull/9500/commits/1fe1af99c2200ff9947cf47d504b015e57b84a3b
PA Updated by Philippe Antoine 7 months ago
- Status changed from Feedback to Assigned
VJ Updated by Victor Julien 7 months ago
- Status changed from Assigned to In Progress
- Assignee changed from OISF Dev to Victor Julien
VJ Updated by Victor Julien 7 months ago
- Status changed from In Progress to In Review
https://github.com/OISF/suricata/pull/13960 has a large patch to pop3 as well.
VJ Updated by Victor Julien 5 months ago
- Related to Optimization #7994: pop3: parser improvements added
VJ Updated by Victor Julien 5 months ago
- Subject changed from pop3: Use version 8.0, configure pop3 port 110, and no emails can be received to pop3: parse error blocks sessions
- Target version changed from 9.0.0-beta1 to 8.0.3
Treating this as the backport ticket for the improvements done as part of #7994.
VJ Updated by Victor Julien 4 months ago
- Status changed from In Review to Closed