Smtp inspection fix/v3 #13550

inashivb · 2025-06-30T10:33:37Z

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7783

Restores behavior from the past rejected PR b4c51d3 as that was correct.

Previous PR: #13507

Changes since v2:

broke the commits; made message clearer
also covered the anomaly case (trigger inspection even in case of anomaly)
rebased on top of latest master

NOTE: Requires upgrading of at least one internal test.

to build the correct behavior. As a part of ab01a1b, in order to match the behavior in master, the calls for triggering raw stream inspection were made when communication in one direction for a transaction was completed. However, it was incorrect to do so. Reliable inspection requires any request line/response line to be completed. Bug 7783

Internals --------- Suricata's stream engine returns data for inspection to the detection engine from the stream when the chunk size is reached. Bug --- Inspection triggered only in the specified chunk sizes may be too late when it comes to inspection of smaller protocol specific data which could result in delayed inspection, incorrect data logged with a transaction and logs misindicating the pkt that triggered an alert. Fix --- Fix this by making an explicit call from all respective applayer parsers to trigger raw stream inspection which shall make the data available for inspection in the following call of the stream engine. This needs to happen per direction on the completion of an entity like a request or a response. Important notes --------------- 1. The above mentioned behavior with and without this patch is affected internally by the following conditions. - inspection depth - stream depth In these special cases, the inspection window will be affected and Suricata may not consider all the data that could be expected to be inspected. 2. This only applies to applayer protocols running over TCP. 3. The inspection window is only considered up to the ACK'd data. 4. This entire issue is about IDS mode only. SMTP parser can handle multiple command lines per direction. Appropriate calls to trigger raw stream inspection have been added on succesful parsing of each request line and response line. For the requests, the call to trigger inspection has been added in the beginning rather than the completion of transactions. This does not affect the inspection as it is actually triggered in the following call. This covers the case for anomaly as well. There are two benefits for this: - immediate inspection for anomalous data - flushing of the anomalous data making next data's inspection cleaner Bug 7783

codecov · 2025-06-30T11:16:22Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.51%. Comparing base (055d270) to head (4171a74).
Report is 6 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #13550   +/-   ##
=======================================
  Coverage   83.51%   83.51%           
=======================================
  Files        1011     1011           
  Lines      275053   275052    -1     
=======================================
+ Hits       229707   229715    +8     
+ Misses      45346    45337    -9

Flag	Coverage Δ
fuzzcorpus	`61.82% <100.00%> (+0.05%)`	⬆️
livemode	`19.09% <0.00%> (+0.13%)`	⬆️
pcap	`44.68% <100.00%> (-0.02%)`	⬇️
suricata-verify	`65.05% <100.00%> (-0.02%)`	⬇️
unittests	`59.17% <85.71%> (-0.01%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

suricata-qa · 2025-06-30T12:55:03Z

Information: QA ran without warnings.

Pipeline = 26665

catenacyber

Thanks for the work,

CI : ✅ (not sure about the internal test you are mentioning)
Code : good
Commits segmentation : ok
Commit messages : good (I do not know if we are doing reverts)
Git ID set : looks fine for me
CLA : you already contributed
Doc update : nice
Redmine ticket : ok
Rustfmt : no rust
Tests : Should we have a SV test ?
Dependencies added: none

victorjulien · 2025-07-01T06:52:37Z

Merged in #13557, thanks!

inashivb added 3 commits June 30, 2025 15:57

doc: add upgrade note about change in inspection

4171a74

inashivb requested review from jufajardini and victorjulien as code owners June 30, 2025 10:33

inashivb requested a review from catenacyber June 30, 2025 10:33

victorjulien approved these changes Jun 30, 2025

View reviewed changes

victorjulien added this to the 8.0 milestone Jun 30, 2025

catenacyber approved these changes Jun 30, 2025

View reviewed changes

victorjulien mentioned this pull request Jul 1, 2025

next/930/20250630/v1 #13557

Merged

victorjulien closed this Jul 1, 2025

inashivb deleted the smtp-inspection-fix/v3 branch July 1, 2025 07:00

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Smtp inspection fix/v3 #13550

Smtp inspection fix/v3 #13550

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Smtp inspection fix/v3 #13550

Smtp inspection fix/v3 #13550

Conversation

Uh oh!

Uh oh!

Codecov Report

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!