suricata
app-layer-imap.c
Go to the documentation of this file.
1/* Copyright (C) 2024 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Mahmoud Maatuq <mahmoudmatook.mm@gmail.com>
22 *
23 */
24
25#include "app-layer.h"
27#include "app-layer-imap.h"
28
29static int IMAPRegisterPatternsForProtocolDetection(void)
30{
32 IPPROTO_TCP, ALPROTO_IMAP, "* OK ", 5, 0, STREAM_TOCLIENT) < 0) {
33 return -1;
34 }
35
37 IPPROTO_TCP, ALPROTO_IMAP, "* NO ", 5, 0, STREAM_TOCLIENT) < 0) {
38 return -1;
39 }
40
42 IPPROTO_TCP, ALPROTO_IMAP, "* BAD ", 6, 0, STREAM_TOCLIENT) < 0) {
43 return -1;
44 }
45
47 IPPROTO_TCP, ALPROTO_IMAP, "* LIST ", 7, 0, STREAM_TOCLIENT) < 0) {
48 return -1;
49 }
50
52 IPPROTO_TCP, ALPROTO_IMAP, "* ESEARCH ", 10, 0, STREAM_TOCLIENT) < 0) {
53 return -1;
54 }
55
57 IPPROTO_TCP, ALPROTO_IMAP, "* STATUS ", 9, 0, STREAM_TOCLIENT) < 0) {
58 return -1;
59 }
60
62 IPPROTO_TCP, ALPROTO_IMAP, "* FLAGS ", 8, 0, STREAM_TOCLIENT) < 0) {
63 return -1;
64 }
65
66 /**
67 * there is no official document that limits the length of the tag
68 * some practical implementations limit it to 20 characters
69 * but keeping depth equal to 31 fails unit tests such AppLayerTest10
70 * so keeping depth 17 for now to pass unit tests, that might miss some detections
71 * until we find a better solution for the unit tests.
72 *
73 * AppLayerTest10 fails because it expects protocol detection to be completed with only 17 bytes
74 * as input, and with this new pattern, we would need more bytes to finish protocol detection.
75 */
76 if (SCAppLayerProtoDetectPMRegisterPatternCI(IPPROTO_TCP, ALPROTO_IMAP, " CAPABILITY",
77 17 /*6 for max tag len + space + len(CAPABILITY)*/, 0, STREAM_TOSERVER) < 0) {
78 return -1;
79 }
80
81 return 0;
82}
83
85{
86 const char *proto_name = "imap";
87
89 SCLogDebug("IMAP protocol detection is enabled.");
91 if (IMAPRegisterPatternsForProtocolDetection() < 0)
92 SCLogError("Failed to register IMAP protocol detection patterns.");
93 } else {
94 SCLogDebug("Protocol detector and parser disabled for IMAP.");
95 }
96}
void AppLayerProtoDetectRegisterProtocol(AppProto alproto, const char *alproto_name)
Registers a protocol for protocol detection phase.
int SCAppLayerProtoDetectPMRegisterPatternCI(uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction)
Registers a case-insensitive pattern for protocol detection.
int SCAppLayerProtoDetectConfProtoDetectionEnabled(const char *ipproto, const char *alproto)
Given a protocol name, checks if proto detection is enabled in the conf file.
void RegisterIMAPParsers(void)
@ ALPROTO_IMAP
#define SCLogDebug(...)
Definition util-debug.h:275
#define SCLogError(...)
Macro used to log ERROR messages.
Definition util-debug.h:267