From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 2 Feb 2023 10:12:08 +0000 (+0100)
Subject: pop3: protocol detection
X-Git-Tag: suricata-8.0.0-beta1~1303
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2c305ba37e18fd5abcb3812b9f9f3a987313622a;p=thirdparty%2Fsuricata.git

pop3: protocol detection

Ticket: #6366
---

diff --git a/doc/userguide/rules/differences-from-snort.rst b/doc/userguide/rules/differences-from-snort.rst
index 9ca145c5e2..a32966c428 100644
--- a/doc/userguide/rules/differences-from-snort.rst
+++ b/doc/userguide/rules/differences-from-snort.rst
@@ -19,6 +19,7 @@ Automatic Protocol Detection
    -  dns
    -  http
    -  imap (detection only by default; no parsing)
+   -  pop3 (detection only by default; no parsing)
    -  ftp
    -  modbus (disabled by default; minimalist probe parser; can lead to false positives)
    -  smb
diff --git a/doc/userguide/rules/intro.rst b/doc/userguide/rules/intro.rst
index 41f7fe0b83..56df9ab494 100644
--- a/doc/userguide/rules/intro.rst
+++ b/doc/userguide/rules/intro.rst
@@ -96,6 +96,7 @@ you can pick from. These are:
 * ssh
 * smtp
 * imap
+* pop3
 * modbus (disabled by default)
 * dnp3 (disabled by default)
 * enip (disabled by default)
diff --git a/etc/schema.json b/etc/schema.json
index d2af1037ae..77597135ee 100644
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -4015,6 +4015,9 @@
                                     "description": "Errors encountered parsing PostgreSQL protocol",
                                     "$ref": "#/$defs/stats_applayer_error"
                                 },
+                                "pop3": {
+                                    "$ref": "#/$defs/stats_applayer_error"
+                                },
                                 "quic": {
                                     "description": "Errors encountered parsing QUIC protocol",
                                     "$ref": "#/$defs/stats_applayer_error"
@@ -4176,6 +4179,9 @@
                                     "description": "Number of flows for PostgreSQL protocol",
                                     "type": "integer"
                                 },
+                                "pop3": {
+                                    "type": "integer"
+                                },
                                 "quic": {
                                     "description": "Number of flows for QUIC protocol",
                                     "type": "integer"
@@ -4332,6 +4338,9 @@
                                     "description": "Number of transactions for PostgreSQL protocol",
                                     "type": "integer"
                                 },
+                                "pop3": {
+                                    "type": "integer"
+                                },
                                 "quic": {
                                     "description": "Number of transactions for QUIC protocol",
                                     "type": "integer"
diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c
index 895d4355f9..90923d0c9d 100644
--- a/src/app-layer-parser.c
+++ b/src/app-layer-parser.c
@@ -1763,14 +1763,24 @@ void AppLayerParserRegisterProtocolParsers(void)
         if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_IMAP,
                                   "1|20|capability", 12, 0, STREAM_TOSERVER) < 0)
         {
-            SCLogInfo("imap proto registration failure");
-            exit(EXIT_FAILURE);
+            FatalError("imap proto registration failure");
         }
     } else {
         SCLogInfo("Protocol detection and parser disabled for %s protocol.",
                   "imap");
     }
 
+    /** POP3 */
+    AppLayerProtoDetectRegisterProtocol(ALPROTO_POP3, "pop3");
+    if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", "pop3")) {
+        if (AppLayerProtoDetectPMRegisterPatternCS(
+                    IPPROTO_TCP, ALPROTO_POP3, "+OK ", 4, 0, STREAM_TOCLIENT) < 0) {
+            FatalError("pop3 proto registration failure");
+        }
+    } else {
+        SCLogInfo("Protocol detection and parser disabled for pop3 protocol.");
+    }
+
     ValidateParsers();
     return;
 }
diff --git a/src/app-layer-protos.c b/src/app-layer-protos.c
index b6e1b73d08..babe6ea83a 100644
--- a/src/app-layer-protos.c
+++ b/src/app-layer-protos.c
@@ -65,6 +65,7 @@ const AppProtoStringTuple AppProtoStrings[ALPROTO_MAX] = {
     { ALPROTO_RDP, "rdp" },
     { ALPROTO_HTTP2, "http2" },
     { ALPROTO_BITTORRENT_DHT, "bittorrent-dht" },
+    { ALPROTO_POP3, "pop3" },
     { ALPROTO_HTTP, "http" },
     { ALPROTO_FAILED, "failed" },
 #ifdef UNITTESTS
diff --git a/src/app-layer-protos.h b/src/app-layer-protos.h
index 5c27255a7b..00a5a54811 100644
--- a/src/app-layer-protos.h
+++ b/src/app-layer-protos.h
@@ -61,6 +61,7 @@ enum AppProtoEnum {
     ALPROTO_RDP,
     ALPROTO_HTTP2,
     ALPROTO_BITTORRENT_DHT,
+    ALPROTO_POP3,
 
     // signature-only (ie not seen in flow)
     // HTTP for any version (ALPROTO_HTTP1 (version 1) or ALPROTO_HTTP2)
diff --git a/src/output.c b/src/output.c
index 0661854d22..2203086138 100644
--- a/src/output.c
+++ b/src/output.c
@@ -1147,6 +1147,7 @@ static EveJsonSimpleAppLayerLogger simple_json_applayer_loggers[ALPROTO_MAX] = {
     { ALPROTO_RDP, (EveJsonSimpleTxLogFunc)rs_rdp_to_json },
     { ALPROTO_HTTP2, rs_http2_log_json },
     { ALPROTO_BITTORRENT_DHT, rs_bittorrent_dht_logger_log },
+    { ALPROTO_POP3, NULL }, // protocol detection only
     { ALPROTO_HTTP, NULL }, // signature protocol, not for app-layer logging
     { ALPROTO_FAILED, NULL },
 #ifdef UNITTESTS
diff --git a/suricata.yaml.in b/suricata.yaml.in
index 414f12f7ea..6c4fbe3823 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -987,6 +987,8 @@ app-layer:
         content-inspect-window: 4096
     imap:
       enabled: detection-only
+    pop3:
+      enabled: detection-only
     smb:
       enabled: yes
       detection-ports: