Bug #3728
closed
ftp file extraction failure
Added by xinfeng lee over 4 years ago.
Updated about 2 years ago.
Description
test:suricata -c suricata.yaml -r ftp.pcap.
when I use single thread,this question will not appear,but if I use workers runmodes and use multiple threads,it is easy to appear.
I see that code what is processing this,find that ftp_data app-layer is detected by ftp app-layer "AppLayerExpectationCreate" function。if ftp app-layer don't come at here,ftp_data is processed by another thread will not detected.because this function "AppLayerExpectationHandle" can't get ftp_data app-layer protocol.So,another thread can't correctly parse ftp_data packets.
Files
xinfeng lee wrote:
test:suricata -c suricata.yaml -r ftp.pcap.
when I use single thread,this question will not appear,but if I use pcap runmodes autofp or use multiple threads,it is easy to appear.
I see that code what is processing this,find that ftp_data app-layer is detected by ftp app-layer "AppLayerExpectationCreate" function。if ftp app-layer don't come at here,ftp_data is processed by another thread will not detected.because this function "AppLayerExpectationHandle" can't get ftp_data app-layer protocol.So,another thread can't correctly parse ftp_data packets.
- Status changed from New to Feedback
- Target version changed from 70 to TBD
An Suricata-Verify test case to show the issue would be great.
Yes, here is a sample.
We are solving this problem. A plan has been realized, and the test results are good so far.
- Related to Bug #5205: FTP-data unrecognized depending on multi-threading added
- Related to Bug #4539: ftp-data protocol not detected in autofp runmode added
- Status changed from Feedback to Closed
Also available in: Atom
PDF