- dns
- http
- imap (detection only by default; no parsing)
+ - pop3 (detection only by default; no parsing)
- ftp
- modbus (disabled by default; minimalist probe parser; can lead to false positives)
- smb
* ssh
* smtp
* imap
+* pop3
* modbus (disabled by default)
* dnp3 (disabled by default)
* enip (disabled by default)
"description": "Errors encountered parsing PostgreSQL protocol",
"$ref": "#/$defs/stats_applayer_error"
},
+ "pop3": {
+ "$ref": "#/$defs/stats_applayer_error"
+ },
"quic": {
"description": "Errors encountered parsing QUIC protocol",
"$ref": "#/$defs/stats_applayer_error"
"description": "Number of flows for PostgreSQL protocol",
"type": "integer"
},
+ "pop3": {
+ "type": "integer"
+ },
"quic": {
"description": "Number of flows for QUIC protocol",
"type": "integer"
"description": "Number of transactions for PostgreSQL protocol",
"type": "integer"
},
+ "pop3": {
+ "type": "integer"
+ },
"quic": {
"description": "Number of transactions for QUIC protocol",
"type": "integer"
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_IMAP,
"1|20|capability", 12, 0, STREAM_TOSERVER) < 0)
{
- SCLogInfo("imap proto registration failure");
- exit(EXIT_FAILURE);
+ FatalError("imap proto registration failure");
}
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
"imap");
}
+ /** POP3 */
+ AppLayerProtoDetectRegisterProtocol(ALPROTO_POP3, "pop3");
+ if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", "pop3")) {
+ if (AppLayerProtoDetectPMRegisterPatternCS(
+ IPPROTO_TCP, ALPROTO_POP3, "+OK ", 4, 0, STREAM_TOCLIENT) < 0) {
+ FatalError("pop3 proto registration failure");
+ }
+ } else {
+ SCLogInfo("Protocol detection and parser disabled for pop3 protocol.");
+ }
+
ValidateParsers();
return;
}
{ ALPROTO_RDP, "rdp" },
{ ALPROTO_HTTP2, "http2" },
{ ALPROTO_BITTORRENT_DHT, "bittorrent-dht" },
+ { ALPROTO_POP3, "pop3" },
{ ALPROTO_HTTP, "http" },
{ ALPROTO_FAILED, "failed" },
#ifdef UNITTESTS
ALPROTO_RDP,
ALPROTO_HTTP2,
ALPROTO_BITTORRENT_DHT,
+ ALPROTO_POP3,
// signature-only (ie not seen in flow)
// HTTP for any version (ALPROTO_HTTP1 (version 1) or ALPROTO_HTTP2)
{ ALPROTO_RDP, (EveJsonSimpleTxLogFunc)rs_rdp_to_json },
{ ALPROTO_HTTP2, rs_http2_log_json },
{ ALPROTO_BITTORRENT_DHT, rs_bittorrent_dht_logger_log },
+ { ALPROTO_POP3, NULL }, // protocol detection only
{ ALPROTO_HTTP, NULL }, // signature protocol, not for app-layer logging
{ ALPROTO_FAILED, NULL },
#ifdef UNITTESTS
content-inspect-window: 4096
imap:
enabled: detection-only
+ pop3:
+ enabled: detection-only
smb:
enabled: yes
detection-ports:
projects / thirdparty / suricata.git / commitdiff
