Skip to content

Commit

Permalink
imap: extend detection patterns
Browse files Browse the repository at this point in the history
Ticket: OISF#2886

Signed-off-by: mmaatuq <[email protected]>
  • Loading branch information
mmaatuq committed Mar 14, 2024
1 parent ece2029 commit e6e77ab
Show file tree
Hide file tree
Showing 4 changed files with 121 additions and 15 deletions.
3 changes: 3 additions & 0 deletions src/Makefile.am
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ noinst_HEADERS = \
app-layer-ssh.h \
app-layer-ssl.h \
app-layer-tftp.h \
app-layer-imap.h \
autoconf.h \
build-info.h \
conf.h \
conf-yaml-loader.h \
Expand Down Expand Up @@ -675,6 +677,7 @@ libsuricata_c_a_SOURCES = \
app-layer-ssh.c \
app-layer-ssl.c \
app-layer-tftp.c \
app-layer-imap.c \
conf.c \
conf-yaml-loader.c \
counters.c \
Expand Down
88 changes: 88 additions & 0 deletions src/app-layer-imap.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
/* Copyright (C) 2024 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/

/**
* \file
*
* \author Mahmoud Maatuq <[email protected]>
*
*/

#include "app-layer.h"
#include "app-layer-detect-proto.h"
#include "rust-bindings.h"
#include "app-layer-imap.h"

static int IMAPRegisterPatternsForProtocolDetection(void)
{
if (AppLayerProtoDetectPMRegisterPatternCI(
IPPROTO_TCP, ALPROTO_IMAP, "* OK ", 5, 0, STREAM_TOCLIENT) < 0) {
return -1;
}

if (AppLayerProtoDetectPMRegisterPatternCI(
IPPROTO_TCP, ALPROTO_IMAP, "* NO ", 5, 0, STREAM_TOCLIENT) < 0) {
return -1;
}

if (AppLayerProtoDetectPMRegisterPatternCI(
IPPROTO_TCP, ALPROTO_IMAP, "* BAD ", 6, 0, STREAM_TOCLIENT) < 0) {
return -1;
}

if (AppLayerProtoDetectPMRegisterPatternCI(
IPPROTO_TCP, ALPROTO_IMAP, "* LIST ", 7, 0, STREAM_TOCLIENT) < 0) {
return -1;
}

if (AppLayerProtoDetectPMRegisterPatternCI(
IPPROTO_TCP, ALPROTO_IMAP, "* ESEARCH ", 10, 0, STREAM_TOCLIENT) < 0) {
return -1;
}

if (AppLayerProtoDetectPMRegisterPatternCI(
IPPROTO_TCP, ALPROTO_IMAP, "* STATUS ", 9, 0, STREAM_TOCLIENT) < 0) {
return -1;
}

if (AppLayerProtoDetectPMRegisterPatternCI(
IPPROTO_TCP, ALPROTO_IMAP, "* FLAGS ", 8, 0, STREAM_TOCLIENT) < 0) {
return -1;
}

if (AppLayerProtoDetectPMRegisterPatternCI(IPPROTO_TCP, ALPROTO_IMAP, "CAPABILITY",
31 /*20 for max tag len + space + len(CAPABILITY)*/, 0, STREAM_TOSERVER) < 0) {
return -1;
}

return 0;
}

void RegisterIMAPParsers(void)
{
const char *proto_name = "imap";

if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", proto_name)) {
SCLogDebug("IMAP protocol detection is enabled.");
AppLayerProtoDetectRegisterProtocol(ALPROTO_IMAP, proto_name);
if (IMAPRegisterPatternsForProtocolDetection() < 0)
return;
} else {
SCLogDebug("Protocol detector and parser disabled for IMAP.");
return;
}
}
28 changes: 28 additions & 0 deletions src/app-layer-imap.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
/* Copyright (C) 2024 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/

/**
* \file
*
* \author Mahmoud Maatuq <[email protected]>
*
*/

#ifndef __APP_LAYER_IMAP_H__
#define __APP_LAYER_IMAP_H__
void RegisterIMAPParsers(void);
#endif
17 changes: 2 additions & 15 deletions src/app-layer-parser.c
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@
#include "app-layer-quic.h"
#include "app-layer-rdp.h"
#include "app-layer-http2.h"
#include "app-layer-imap.h"

struct AppLayerParserThreadCtx_ {
void *alproto_local_storage[FLOW_PROTO_MAX][ALPROTO_MAX];
Expand Down Expand Up @@ -1770,21 +1771,7 @@ void AppLayerParserRegisterProtocolParsers(void)
RegisterRdpParsers();
RegisterHTTP2Parsers();
rs_telnet_register_parser();

/** IMAP */
AppLayerProtoDetectRegisterProtocol(ALPROTO_IMAP, "imap");
if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", "imap")) {
if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_IMAP,
"1|20|capability", 12, 0, STREAM_TOSERVER) < 0)
{
SCLogInfo("imap proto registration failure");
exit(EXIT_FAILURE);
}
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
"imap");
}

RegisterIMAPParsers();
ValidateParsers();
return;
}
Expand Down

0 comments on commit e6e77ab

Please sign in to comment.