Suricata

FTP is a critical protocol for network firewall deployments. In Suricata 8.0.4, FTP app-layer hook states are not registered for firewall mode. Attempting to use any ftp:* hook in a firewall rule (e.g., accept:hook ftp:request_command ) fails with the error: protocol ftp does not support hook.

This means FTP traffic cannot be inspected or controlled at the application layer in firewall mode. Even when packet-layer rules accept the TCP handshake on port 21, the FTP control channel is dropped by default_app_policy as soon as the app-layer parser engages, because no FTP hooks exist for the firewall engine to evaluate.

Potential FTP states:

• Connected
• USER command sent
• PASS command sent
• Authenticated
• Command mode
• PORT/PASV sent
• Data connection requested
• Data connection established
• Transfer in progress
• Transfer complete
• Logged out
• Connection closed

Additionally, FTP-DATA has its own lifecycle:

• Connection requested
• Connection established
• Transfer initiated
• Data transfer in progress
• Transfer complete
• Transfer aborted
• Connection closed

These states should be mapped to firewall hook points that allow rules to make accept/drop decisions at meaningful protocol transitions — for example, after authentication, after PASV negotiation, during data transfer, etc.

The expectation engine should also be integrated with firewall mode so that PASV/PORT-negotiated data channel ports are automatically allowed when the control channel is accepted. (Optional)