ftp: protocol detection avoiding FP on POP3

author Philippe Antoine <pantoine@oisf.net>

Thu, 2 Feb 2023 10:03:56 +0000 (11:03 +0100)

committer Victor Julien <victor@inliniac.net>

Thu, 16 May 2024 17:58:33 +0000 (19:58 +0200)
author Philippe Antoine <pantoine@oisf.net>
Thu, 2 Feb 2023 10:03:56 +0000 (11:03 +0100)
committer Victor Julien <victor@inliniac.net>
Thu, 16 May 2024 17:58:33 +0000 (19:58 +0200)
diff --git a/src/app-layer-ftp.c b/src/app-layer-ftp.c

index d1db0d4ef0c38d0266c97ae34bf85c06c4f2d75c..d2777198ab4e75aff68e12a1f6fb6835b9fad118 100644 (file)
--- a/src/app-layer-ftp.c
+++ b/src/app-layer-ftp.c
@@ -951,6 +951,15 @@ static int FTPGetAlstateProgress(void *vtx, uint8_t direction)
      return FTP_STATE_FINISHED;
  }
  
+static AppProto FTPUserProbingParser(
+        Flow *f, uint8_t direction, const uint8_t *input, uint32_t len, uint8_t *rdir)
+{
+    if (f->alproto_tc == ALPROTO_POP3) {
+        // POP traffic begins by same "USER" pattern as FTP
+        return ALPROTO_FAILED;
+    }
+    return ALPROTO_FTP;
+}
  
  static int FTPRegisterPatternsForProtocolDetection(void)
  {
@@ -962,8 +971,8 @@ static int FTPRegisterPatternsForProtocolDetection(void)
                  IPPROTO_TCP, ALPROTO_FTP, "FEAT", 4, 0, STREAM_TOSERVER) < 0) {
          return -1;
      }
-    if (AppLayerProtoDetectPMRegisterPatternCI(
-                IPPROTO_TCP, ALPROTO_FTP, "USER ", 5, 0, STREAM_TOSERVER) < 0) {
+    if (AppLayerProtoDetectPMRegisterPatternCSwPP(IPPROTO_TCP, ALPROTO_FTP, "USER ", 5, 0,
+                STREAM_TOSERVER, FTPUserProbingParser, 5, 5) < 0) {
          return -1;
      }
      if (AppLayerProtoDetectPMRegisterPatternCI(
author	Philippe Antoine <pantoine@oisf.net>
	Thu, 2 Feb 2023 10:03:56 +0000 (11:03 +0100)
committer	Victor Julien <victor@inliniac.net>
	Thu, 16 May 2024 17:58:33 +0000 (19:58 +0200)