Feature #8392
Updated by Victor Julien 19 days ago
FTP is a critical protocol for network firewall deployments. In Suricata 8.0.4, FTP app-layer hook states are not registered for firewall mode. Attempting to use any _ftp:*_ hook in a firewall rule (e.g., _accept:hook ftp:request_command_ ) fails with the error: _protocol ftp does not support hook_. This means FTP traffic cannot be inspected or controlled at the application layer in firewall mode. Even when packet-layer rules accept the TCP handshake on port 21, the FTP control channel is dropped by default_app_policy as soon as the app-layer parser engages, because no FTP hooks exist for the firewall engine to evaluate. Potential FTP states: * Connected * USER command sent * PASS command sent * Authenticated * Command mode * PORT/PASV sent * Data connection requested * Data connection established * Transfer in progress * Transfer complete * Logged out * Connection closed Additionally, FTP-DATA has its own lifecycle, tracked lifecycle: * Connection requested * Connection established * Transfer initiated * Data transfer in #8408. progress * Transfer complete * Transfer aborted * Connection closed These states should be mapped to firewall hook points that allow rules to make accept/drop decisions at meaningful protocol transitions — for example, after authentication, after PASV negotiation, during data transfer, etc. The expectation engine should also be integrated with firewall mode so that PASV/PORT-negotiated data channel ports are automatically allowed when the control channel is accepted. (Optional)