aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

pop3: protocol detection

Browse Source 
Ticket: #6366
pull/11095/head
Philippe Antoine 3 years ago committed by Victor Julien
parent ed895c04ff
commit 2c305ba37e
8 changed files with 28 additions and 2 deletions
Show Stats Download Patch File Download Diff File

1
doc/userguide/rules/differences-from-snort.rst
Unescape Escape View File

@ -19,6 +19,7 @@ Automatic Protocol Detection
- dns - dns
- http - http
- imap (detection only by default; no parsing) - imap (detection only by default; no parsing)
- pop3 (detection only by default; no parsing)
- ftp - ftp
- modbus (disabled by default; minimalist probe parser; can lead to false positives) - modbus (disabled by default; minimalist probe parser; can lead to false positives)
- smb - smb

1
doc/userguide/rules/intro.rst
Unescape Escape View File

@ -96,6 +96,7 @@ you can pick from. These are:
* ssh * ssh
* smtp * smtp
* imap * imap
* pop3
* modbus (disabled by default) * modbus (disabled by default)
* dnp3 (disabled by default) * dnp3 (disabled by default)
* enip (disabled by default) * enip (disabled by default)

9
etc/schema.json
Unescape Escape View File

@ -4015,6 +4015,9 @@
"description": "Errors encountered parsing PostgreSQL protocol", "description": "Errors encountered parsing PostgreSQL protocol",
"$ref": "#/$defs/stats_applayer_error" "$ref": "#/$defs/stats_applayer_error"
}, },
"pop3": {
"$ref": "#/$defs/stats_applayer_error"
},
"quic": { "quic": {
"description": "Errors encountered parsing QUIC protocol", "description": "Errors encountered parsing QUIC protocol",
"$ref": "#/$defs/stats_applayer_error" "$ref": "#/$defs/stats_applayer_error"
@ -4176,6 +4179,9 @@
"description": "Number of flows for PostgreSQL protocol", "description": "Number of flows for PostgreSQL protocol",
"type": "integer" "type": "integer"
}, },
"pop3": {
"type": "integer"
},
"quic": { "quic": {
"description": "Number of flows for QUIC protocol", "description": "Number of flows for QUIC protocol",
"type": "integer" "type": "integer"
@ -4332,6 +4338,9 @@
"description": "Number of transactions for PostgreSQL protocol", "description": "Number of transactions for PostgreSQL protocol",
"type": "integer" "type": "integer"
}, },
"pop3": {
"type": "integer"
},
"quic": { "quic": {
"description": "Number of transactions for QUIC protocol", "description": "Number of transactions for QUIC protocol",
"type": "integer" "type": "integer"

14
src/app-layer-parser.c
Unescape Escape View File

@ -1763,14 +1763,24 @@ void AppLayerParserRegisterProtocolParsers(void)
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_IMAP, if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_IMAP,
"1|20|capability", 12, 0, STREAM_TOSERVER) < 0) "1|20|capability", 12, 0, STREAM_TOSERVER) < 0)
{ {
SCLogInfo("imap proto registration failure"); FatalError("imap proto registration failure");
exit(EXIT_FAILURE);
} }
} else { } else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.", SCLogInfo("Protocol detection and parser disabled for %s protocol.",
"imap"); "imap");
} }
/** POP3 */
AppLayerProtoDetectRegisterProtocol(ALPROTO_POP3, "pop3");
if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", "pop3")) {
if (AppLayerProtoDetectPMRegisterPatternCS(
IPPROTO_TCP, ALPROTO_POP3, "+OK ", 4, 0, STREAM_TOCLIENT) < 0) {
FatalError("pop3 proto registration failure");
}
} else {
SCLogInfo("Protocol detection and parser disabled for pop3 protocol.");
}
ValidateParsers(); ValidateParsers();
return; return;
} }

1
src/app-layer-protos.c
Unescape Escape View File

@ -65,6 +65,7 @@ const AppProtoStringTuple AppProtoStrings[ALPROTO_MAX] = {
{ ALPROTO_RDP, "rdp" }, { ALPROTO_RDP, "rdp" },
{ ALPROTO_HTTP2, "http2" }, { ALPROTO_HTTP2, "http2" },
{ ALPROTO_BITTORRENT_DHT, "bittorrent-dht" }, { ALPROTO_BITTORRENT_DHT, "bittorrent-dht" },
{ ALPROTO_POP3, "pop3" },
{ ALPROTO_HTTP, "http" }, { ALPROTO_HTTP, "http" },
{ ALPROTO_FAILED, "failed" }, { ALPROTO_FAILED, "failed" },
#ifdef UNITTESTS #ifdef UNITTESTS

1
src/app-layer-protos.h
Unescape Escape View File

@ -61,6 +61,7 @@ enum AppProtoEnum {
ALPROTO_RDP, ALPROTO_RDP,
ALPROTO_HTTP2, ALPROTO_HTTP2,
ALPROTO_BITTORRENT_DHT, ALPROTO_BITTORRENT_DHT,
ALPROTO_POP3,
// signature-only (ie not seen in flow) // signature-only (ie not seen in flow)
// HTTP for any version (ALPROTO_HTTP1 (version 1) or ALPROTO_HTTP2) // HTTP for any version (ALPROTO_HTTP1 (version 1) or ALPROTO_HTTP2)

1
src/output.c
Unescape Escape View File

@ -1147,6 +1147,7 @@ static EveJsonSimpleAppLayerLogger simple_json_applayer_loggers[ALPROTO_MAX] = {
{ ALPROTO_RDP, (EveJsonSimpleTxLogFunc)rs_rdp_to_json }, { ALPROTO_RDP, (EveJsonSimpleTxLogFunc)rs_rdp_to_json },
{ ALPROTO_HTTP2, rs_http2_log_json }, { ALPROTO_HTTP2, rs_http2_log_json },
{ ALPROTO_BITTORRENT_DHT, rs_bittorrent_dht_logger_log }, { ALPROTO_BITTORRENT_DHT, rs_bittorrent_dht_logger_log },
{ ALPROTO_POP3, NULL }, // protocol detection only
{ ALPROTO_HTTP, NULL }, // signature protocol, not for app-layer logging { ALPROTO_HTTP, NULL }, // signature protocol, not for app-layer logging
{ ALPROTO_FAILED, NULL }, { ALPROTO_FAILED, NULL },
#ifdef UNITTESTS #ifdef UNITTESTS

2
suricata.yaml.in
Unescape Escape View File

@ -987,6 +987,8 @@ app-layer:
content-inspect-window: 4096 content-inspect-window: 4096
imap: imap:
enabled: detection-only enabled: detection-only
pop3:
enabled: detection-only
smb: smb:
enabled: yes enabled: yes
detection-ports: detection-ports:

Write Preview
Loading…
Cancel
Save