Bug #7709
closedpop3: parse error blocks sessions
Description
Remove all the rules and only one udp will be retained, and the email will not be received.
Files
JY Updated by jun yuan about 1 year ago
Run in IPS mode
JY Updated by jun yuan about 1 year ago
- Priority changed from Normal to High
VJ Updated by Victor Julien about 1 year ago
- Status changed from New to Feedback
- Priority changed from High to Normal
- Target version changed from 8.0.0 to 8.0.0-rc1
Please add more detail about the test setup, the expected results, the actual results.
If possible add a pcap based test case.
JY Updated by jun yuan about 1 year ago ยท Edited
- File stop.pcapng stop.pcapng added
- File run.pcapng run.pcapng added
pc -- vm -- emailserver
vm run suricata in IPS mode
configure Pop3 port 110 to receive mail on PC
results:
suricata v6 Normal reception
suricata v8 Email not received
stop.pacpng means stop running suricata
run.pacpng means running suricata on vm
JY Updated by jun yuan about 1 year ago
- Assignee changed from OISF Dev to Victor Julien
JY Updated by jun yuan about 1 year ago
suricata-7.0.10 Can collect emails normally
JY Updated by jun yuan about 1 year ago
- Priority changed from Normal to High
JY Updated by jun yuan about 1 year ago
- Assignee changed from Victor Julien to OISF Dev
VJ Updated by Victor Julien about 1 year ago
- Priority changed from High to Normal
@junyuan can you please leave the priority at normal. Priorities are set by the team.
JY Updated by jun yuan about 1 year ago
Victor Julien wrote in #note-9:
@junyuan can you please leave the priority at normal. Priorities are set by the team.
ok.
Is there a solution to this problem?
JY Updated by jun yuan about 1 year ago
pop3: Use version 8.0, configure pop3 port 110, and no emails can be received
Is there any progress in this issue?
JY Updated by jun yuan about 1 year ago
- File stop.pcapng added
- File run.pcapng added
Victor Julien wrote in #note-3:
Please add more detail about the test setup, the expected results, the actual results.
If possible add a pcap based test case.
pop3: Use version 8.0, configure pop3 port 110, and no emails can be received
Is there any progress in this issue?
pc -- vm -- emailserver
vm run suricata in IPS mode
configure Pop3 port 110 to receive mail on PC
results:
suricata v6 Normal reception
suricata v8 Email not received
stop.pacpng means stop running suricata
run.pacpng means running suricata on vm
JL Updated by Jeff Lucovsky about 1 year ago
- File deleted (
run.pcapng)
JL Updated by Jeff Lucovsky about 1 year ago
- File deleted (
stop.pcapng)
JL Updated by Jeff Lucovsky about 1 year ago
I deleted the 2nd set of pcaps -- they are identical to the original set.
PA Updated by Philippe Antoine about 1 year ago
Maybe disabling pop3 parser in suricata.yaml may help
PA Updated by Philippe Antoine about 1 year ago
- Target version changed from 8.0.0-rc1 to 9.0.0-beta1
PA Updated by Philippe Antoine 10 months ago
Why did you set to in progress ? Are you working on it ?
PA Updated by Philippe Antoine 10 months ago
- Affected Versions 8.0.0 added
Ok, I see the bug stop.pcapng has an app-layer-parser error on the pop3 traffic see jq .stats.app_layer.error.pop3 log/eve.json
JY Updated by jun yuan 10 months ago
- Status changed from In Progress to Feedback
Philippe Antoine wrote in #note-21:
Ok, I see the bug stop.pcapng has an app-layer-parser error on the pop3 traffic see
jq .stats.app_layer.error.pop3 log/eve.json
I have temporarily modified it using this method:
https://github.com/OISF/suricata/pull/9500/commits/1fe1af99c2200ff9947cf47d504b015e57b84a3b
PA Updated by Philippe Antoine 9 months ago
- Status changed from Feedback to Assigned
VJ Updated by Victor Julien 9 months ago
- Status changed from Assigned to In Progress
- Assignee changed from OISF Dev to Victor Julien
VJ Updated by Victor Julien 9 months ago
- Status changed from In Progress to In Review
https://github.com/OISF/suricata/pull/13960 has a large patch to pop3 as well.
VJ Updated by Victor Julien 7 months ago
- Related to Optimization #7994: pop3: parser improvements added
VJ Updated by Victor Julien 7 months ago
- Subject changed from pop3: Use version 8.0, configure pop3 port 110, and no emails can be received to pop3: parse error blocks sessions
- Target version changed from 9.0.0-beta1 to 8.0.3
Treating this as the backport ticket for the improvements done as part of #7994.
VJ Updated by Victor Julien 7 months ago
- Status changed from In Review to Closed