Project

General

Profile

Actions

Bug #2886

closed

IMAP protocol detection is incomplete

Added by Allen Ma over 5 years ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
low
Label:
Beginner, Good First Issue, Outreachy, Protocol

Description

I tried both reading offline pcap file and capturing imap packet lively, but failed.
The same testing methods are used to test POP3 successfully, which I extend on my own version.

1.reading offline pcap file, I've attached the ones I tested.
sudo suricata -c ~/suricata/suricata.yaml -r ~/pcap/imap/imap_aliyun_outlook_short.pcapng -k none --init-errors-fatal

2.captuing imap packets lively.
sudo suricata -c ~/suricata/suricata.yaml -i eno16777736 --init-errors-fatal

/** IMAP */
AppLayerProtoDetectRegisterProtocol(ALPROTO_IMAP, "imap");
if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", "imap")) {
// Is AppLayerProtoDetectPMRegisterPatternCS OK as it's case-sensitive? Will it detect upper-cased CAPABILITY?
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_IMAP,
"1|20|capability", 12, 0, STREAM_TOSERVER) < 0) {
SCLogInfo("imap proto registration failure\n");
exit(EXIT_FAILURE);
}
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
"imap");
}

Files

imap-ssl.pcapng (9.91 KB) imap-ssl.pcapng Allen Ma, 03/18/2019 04:38 AM
imap.cap (30.7 KB) imap.cap Allen Ma, 03/18/2019 04:38 AM

Subtasks 3 (0 open3 closed)

Bug #6506: IMAP protocol detection is incomplete (6.0.x backport)RejectedActions
Bug #6514: IMAP protocol detection is incomplete (6.0.x backport)RejectedActions
Bug #6526: IMAP protocol detection is incomplete (7.0.x backport)RejectedActions

Related issues 2 (2 open0 closed)

Related to Suricata - Task #2757: improve protocol detectionIn ReviewPhilippe AntoineActions
Related to Suricata - Feature #3244: IMAP Support NewCommunity TicketActions
Actions

Also available in: Atom PDF