From: Shivani Bhardwaj Date: Mon, 30 Jun 2025 10:24:35 +0000 (+0530) Subject: smtp: trigger raw stream inspection X-Git-Tag: suricata-8.0.0~12 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=e8f78da123c51b055f911d28d31f6b5dedbb4c0f;p=thirdparty%2Fsuricata.git smtp: trigger raw stream inspection Internals --------- Suricata's stream engine returns data for inspection to the detection engine from the stream when the chunk size is reached. Bug --- Inspection triggered only in the specified chunk sizes may be too late when it comes to inspection of smaller protocol specific data which could result in delayed inspection, incorrect data logged with a transaction and logs misindicating the pkt that triggered an alert. Fix --- Fix this by making an explicit call from all respective applayer parsers to trigger raw stream inspection which shall make the data available for inspection in the following call of the stream engine. This needs to happen per direction on the completion of an entity like a request or a response. Important notes --------------- 1. The above mentioned behavior with and without this patch is affected internally by the following conditions. - inspection depth - stream depth In these special cases, the inspection window will be affected and Suricata may not consider all the data that could be expected to be inspected. 2. This only applies to applayer protocols running over TCP. 3. The inspection window is only considered up to the ACK'd data. 4. This entire issue is about IDS mode only. SMTP parser can handle multiple command lines per direction. Appropriate calls to trigger raw stream inspection have been added on succesful parsing of each request line and response line. For the requests, the call to trigger inspection has been added in the beginning rather than the completion of transactions. This does not affect the inspection as it is actually triggered in the following call. This covers the case for anomaly as well. There are two benefits for this: - immediate inspection for anomalous data - flushing of the anomalous data making next data's inspection cleaner Bug 7783 --- diff --git a/src/app-layer-smtp.c b/src/app-layer-smtp.c index 82dbc0a535..a7b76ec442 100644 --- a/src/app-layer-smtp.c +++ b/src/app-layer-smtp.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2024 Open Information Security Foundation +/* Copyright (C) 2007-2025 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -977,6 +977,7 @@ static int SMTPProcessReply( state->cmds_cnt = 0; state->cmds_idx = 0; } + AppLayerParserTriggerRawStreamInspection(f, STREAM_TOCLIENT); return 0; } @@ -1178,6 +1179,7 @@ static int SMTPProcessRequest( * STARTTLS and DATA */ if (!(state->parser_state & SMTP_PARSER_STATE_COMMAND_DATA_MODE)) { int r = 0; + AppLayerParserTriggerRawStreamInspection(f, STREAM_TOSERVER); if (line->len >= 8 && SCMemcmpLowercase("starttls", line->buf, 8) == 0) { state->current_command = SMTP_COMMAND_STARTTLS;