Bug #7709
closedpop3: parse error blocks sessions
Added by jun yuan 8 months ago. Updated 19 days ago.
Description
Remove all the rules and only one udp will be retained, and the email will not be received.
Files
| stop.pcapng (11.8 KB) stop.pcapng | stop suricata | jun yuan, 05/15/2025 12:23 AM | |
| run.pcapng (3.55 KB) run.pcapng | run suricata | jun yuan, 05/15/2025 12:23 AM |
Updated by Victor Julien 8 months ago
- Status changed from New to Feedback
- Priority changed from High to Normal
- Target version changed from 8.0.0 to 8.0.0-rc1
Please add more detail about the test setup, the expected results, the actual results.
If possible add a pcap based test case.
Updated by jun yuan 8 months ago ยท Edited
- File stop.pcapng stop.pcapng added
- File run.pcapng run.pcapng added
pc -- vm -- emailserver
vm run suricata in IPS mode
configure Pop3 port 110 to receive mail on PC
results:
suricata v6 Normal reception
suricata v8 Email not received
stop.pacpng means stop running suricata
run.pacpng means running suricata on vm
Updated by Victor Julien 8 months ago
- Priority changed from High to Normal
@junyuan can you please leave the priority at normal. Priorities are set by the team.
Updated by jun yuan 7 months ago
- File stop.pcapng added
- File run.pcapng added
Victor Julien wrote in #note-3:
Please add more detail about the test setup, the expected results, the actual results.
If possible add a pcap based test case.
pop3: Use version 8.0, configure pop3 port 110, and no emails can be received
Is there any progress in this issue?
pc -- vm -- emailserver
vm run suricata in IPS mode
configure Pop3 port 110 to receive mail on PC
results:
suricata v6 Normal reception
suricata v8 Email not received
stop.pacpng means stop running suricata
run.pacpng means running suricata on vm
Updated by Jeff Lucovsky 7 months ago
I deleted the 2nd set of pcaps -- they are identical to the original set.
Updated by Philippe Antoine 7 months ago
Maybe disabling pop3 parser in suricata.yaml may help
Updated by Philippe Antoine 7 months ago
- Target version changed from 8.0.0-rc1 to 9.0.0-beta1
Updated by Philippe Antoine 4 months ago
Why did you set to in progress ? Are you working on it ?
Updated by Philippe Antoine 4 months ago
- Affected Versions 8.0.0 added
Ok, I see the bug stop.pcapng has an app-layer-parser error on the pop3 traffic see jq .stats.app_layer.error.pop3 log/eve.json
Updated by jun yuan 4 months ago
- Status changed from In Progress to Feedback
Philippe Antoine wrote in #note-21:
Ok, I see the bug stop.pcapng has an app-layer-parser error on the pop3 traffic see
jq .stats.app_layer.error.pop3 log/eve.json
I have temporarily modified it using this method:
https://github.com/OISF/suricata/pull/9500/commits/1fe1af99c2200ff9947cf47d504b015e57b84a3b
Updated by Philippe Antoine 3 months ago
- Status changed from Feedback to Assigned
Updated by Victor Julien 3 months ago
- Status changed from Assigned to In Progress
- Assignee changed from OISF Dev to Victor Julien
Updated by Victor Julien 3 months ago
- Status changed from In Progress to In Review
https://github.com/OISF/suricata/pull/13960 has a large patch to pop3 as well.
Updated by Victor Julien 27 days ago
- Related to Optimization #7994: pop3: parser improvements added
Updated by Victor Julien 27 days ago
- Subject changed from pop3: Use version 8.0, configure pop3 port 110, and no emails can be received to pop3: parse error blocks sessions
- Target version changed from 9.0.0-beta1 to 8.0.3
Treating this as the backport ticket for the improvements done as part of #7994.