Bug #6283
closedFTP parsing yields in some cases smtp and http event types
Description
Pcap attached.
I stumbled upon this issue when investigating and looking for a specific malware/behavior.
Pcap provided is from https://tria.ge/230822-2ltlvahc41/behavioral1
sudo /opt/suritest-profiling/bin/suricata -S "rules/*.rules" -l logs/ -k none -r TLPW1-ca1fb1ad30189110cc225620dc537368.pcap ; jq -r .event_type logs/eve.json | sort | uniq -c |sort -rn ;
Info: conf-yaml-loader: Configuration node 'DC_SERVERS' redefined. [ConfYamlParse:conf-yaml-loader.c:329]
Notice: suricata: This is Suricata version 7.0.1-dev (becb8cefc 2023-08-11) running in USER mode [LogVersion:suricata.c:1148]
Warning: app-layer-htp: Flash decompression is deprecated and will be removed in Suricata 8; see ticket #6179 [HTPConfigParseParameters:app-layer-htp.c:2908]
Notice: threads: Threads created -> RX: 1 W: 16 FM: 1 FR: 1 Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1890]
Notice: suricata: Signal Received. Stopping engine. [SuricataMainLoop:suricata.c:2815]
Notice: pcap: read 1 file, 487089 packets, 31866396 bytes [ReceivePcapFileThreadExitStats:source-pcap-file.c:388]
124044 flow
85600 ftp
21058 anomaly
528 dns
46 smtp
26 http
9 alert
2 tls
2 ssh
1 stats
There is no SMTP traffic in the pcap (Wireshark also shows no SMTP) , but we have smtp events generated like the below.
{
"timestamp": "2023-08-23T00:42:58.885319+0200",
"flow_id": 604785307838067,
"event_type": "smtp",
"src_ip": "10.127.0.202",
"src_port": 50529,
"dest_ip": "195.8.223.244",
"dest_port": 21,
"proto": "TCP",
"pkt_src": "stream (flow timeout)",
"tx_id": 0,
"smtp": {}
}
There are also some HTTP events generated like so:
{
"timestamp": "2023-08-23T00:42:58.885319+0200",
"flow_id": 1569159803425295,
"event_type": "http",
"src_ip": "10.127.0.202",
"src_port": 54224,
"dest_ip": "115.127.132.45",
"dest_port": 21,
"proto": "TCP",
"pkt_src": "stream (flow timeout)",
"tx_id": 0,
"http": {
"url": "/",
"http_method": "GET",
"protocol": "HTTP/1.1",
"length": 0
}
}
Also we have lots of anomaly generated events, just for info.
jq 'select(.event_type=="anomaly")' logs/eve.json | jq .anomaly.event | sort -rn | uniq -c | sort -rn
20959 "APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION"
52 "MISSING_HOST_HEADER"
44 "NO_SERVER_WELCOME_MESSAGE"
3 "INVALID_REPLY"
Files
Updated by Philippe Antoine about 1 year ago
- Related to Feature #1125: smtp: improve protocol detection added
Updated by Philippe Antoine 5 months ago
- Status changed from New to Rejected
Thanks Peter, closing as there is nothing new in this ticket :
Also we have lots of anomaly generated events, just for info.
https://github.com/OISF/suricata/pull/11125 improves on this for the APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION ones
There is no SMTP traffic in the pcap (Wireshark also shows no SMTP) , but we have smtp events generated like the below.
This seems a duplicate of #6591 (QUIT pattern)
There are also some HTTP events generated like so:
This is the expected behavior for Wireshark filter tcp.stream eq 1105
TCP stream is client only GET / HTTP/1.1 no answer from server, so this gets classified as HTTP
Updated by Philippe Antoine 5 months ago
- Related to Bug #6591: protodetect: ftp parsed as smtp added