Suricata

FTP is a critical protocol for network firewall deployments. In Suricata 8.0.4, FTP app-layer hook states are not registered for firewall mode. Attempting to use any ftp:* hook in a firewall rule (e.g., accept:hook ftp:request_command ) fails with the error: protocol ftp does not support hook.

This means FTP traffic cannot be inspected or controlled at the application layer in firewall mode. Even when packet-layer rules accept the TCP handshake on port 21, the FTP control channel is dropped by default_app_policy as soon as the app-layer parser engages, because no FTP hooks exist for the firewall engine to evaluate.

• Connection requested
• Connection established
• Transfer initiated
• Data transfer in progress
• Transfer complete
• Transfer aborted
• Connection closed

These states should be mapped to firewall hook points that allow rules to make accept/drop decisions at meaningful protocol transitions — for example, during data transfer, etc.

The expectation engine should also be integrated with firewall mode so that PASV/PORT-negotiated data channel ports are automatically allowed when the control channel is accepted. (Optional)