aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

pop3: protocol detection

Browse Source 
Ticket: #6366
pull/11095/head
Philippe Antoine 3 years ago committed by Victor Julien
parent ed895c04ff
commit 2c305ba37e
8 changed files with 28 additions and 2 deletions
Show Stats Download Patch File Download Diff File

1
doc/userguide/rules/differences-from-snort.rst
Unescape Escape View File

@ -19,6 +19,7 @@ Automatic Protocol Detection
- dns
- http
- imap (detection only by default; no parsing)
- pop3 (detection only by default; no parsing)
- ftp
- modbus (disabled by default; minimalist probe parser; can lead to false positives)
- smb

1
doc/userguide/rules/intro.rst
Unescape Escape View File

@ -96,6 +96,7 @@ you can pick from. These are:
* ssh
* smtp
* imap
* pop3
* modbus (disabled by default)
* dnp3 (disabled by default)
* enip (disabled by default)

9
etc/schema.json
Unescape Escape View File

@ -4015,6 +4015,9 @@
"description": "Errors encountered parsing PostgreSQL protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"pop3": {
"$ref": "#/$defs/stats_applayer_error"
},
"quic": {
"description": "Errors encountered parsing QUIC protocol",
"$ref": "#/$defs/stats_applayer_error"
@ -4176,6 +4179,9 @@
"description": "Number of flows for PostgreSQL protocol",
"type": "integer"
},
"pop3": {
"type": "integer"
},
"quic": {
"description": "Number of flows for QUIC protocol",
"type": "integer"
@ -4332,6 +4338,9 @@
"description": "Number of transactions for PostgreSQL protocol",
"type": "integer"
},
"pop3": {
"type": "integer"
},
"quic": {
"description": "Number of transactions for QUIC protocol",
"type": "integer"

14
src/app-layer-parser.c
Unescape Escape View File

@ -1763,14 +1763,24 @@ void AppLayerParserRegisterProtocolParsers(void)
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_IMAP,
"1|20|capability", 12, 0, STREAM_TOSERVER) < 0)
{
SCLogInfo("imap proto registration failure");
exit(EXIT_FAILURE);
FatalError("imap proto registration failure");
}
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
"imap");
}
/** POP3 */
AppLayerProtoDetectRegisterProtocol(ALPROTO_POP3, "pop3");
if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", "pop3")) {
if (AppLayerProtoDetectPMRegisterPatternCS(
IPPROTO_TCP, ALPROTO_POP3, "+OK ", 4, 0, STREAM_TOCLIENT) < 0) {
FatalError("pop3 proto registration failure");
}
} else {
SCLogInfo("Protocol detection and parser disabled for pop3 protocol.");
}
ValidateParsers();
return;
}

1
src/app-layer-protos.c
Unescape Escape View File

@ -65,6 +65,7 @@ const AppProtoStringTuple AppProtoStrings[ALPROTO_MAX] = {
{ ALPROTO_RDP, "rdp" },
{ ALPROTO_HTTP2, "http2" },
{ ALPROTO_BITTORRENT_DHT, "bittorrent-dht" },
{ ALPROTO_POP3, "pop3" },
{ ALPROTO_HTTP, "http" },
{ ALPROTO_FAILED, "failed" },
#ifdef UNITTESTS

1
src/app-layer-protos.h
Unescape Escape View File

@ -61,6 +61,7 @@ enum AppProtoEnum {
ALPROTO_RDP,
ALPROTO_HTTP2,
ALPROTO_BITTORRENT_DHT,
ALPROTO_POP3,
// signature-only (ie not seen in flow)
// HTTP for any version (ALPROTO_HTTP1 (version 1) or ALPROTO_HTTP2)

1
src/output.c
Unescape Escape View File

@ -1147,6 +1147,7 @@ static EveJsonSimpleAppLayerLogger simple_json_applayer_loggers[ALPROTO_MAX] = {
{ ALPROTO_RDP, (EveJsonSimpleTxLogFunc)rs_rdp_to_json },
{ ALPROTO_HTTP2, rs_http2_log_json },
{ ALPROTO_BITTORRENT_DHT, rs_bittorrent_dht_logger_log },
{ ALPROTO_POP3, NULL }, // protocol detection only
{ ALPROTO_HTTP, NULL }, // signature protocol, not for app-layer logging
{ ALPROTO_FAILED, NULL },
#ifdef UNITTESTS

2
suricata.yaml.in
Unescape Escape View File

@ -987,6 +987,8 @@ app-layer:
content-inspect-window: 4096
imap:
enabled: detection-only
pop3:
enabled: detection-only
smb:
enabled: yes
detection-ports:

Write Preview
Loading…
Cancel
Save