Skip to content

IMAP protocol parser, logger and sticky buffers v7#15617

Closed
glongo wants to merge 4 commits into
OISF:mainfrom
glongo:dev-imap-proto-v7
Closed

IMAP protocol parser, logger and sticky buffers v7#15617
glongo wants to merge 4 commits into
OISF:mainfrom
glongo:dev-imap-proto-v7

Conversation

@glongo

@glongo glongo commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Changes:

  • Added description about transaction states and bounded data structures
  • Made email.body_md5 compatible with IMAP
  • Plain authentication is no longer logged
  • Addressed comments in the old PR

Link to ticket: https://redmine.openinfosecfoundation.org/issues/8276

Previous PR: #15400

SV_BRANCH=OISF/suricata-verify#2908

glongo added 4 commits June 11, 2026 13:31
@glongo
imap: implement parser
2beb164 
This introduces a parser for IMAP protocol.

An IMAP transaction has two states driven by the 'complete' field:
  - Open (complete = false): waiting for a matching tagged response.
  - Complete (complete = true): tagged response received, or special
    conditions met (BYE, server greeting).

  Completion logic (is_complete):
  - If a tagged request exists: requires a matching tagged response.
  - No tagged request + BYE: complete (server closing).
  - No tagged request + any response: complete (server greeting).

  Transactions are created in three places:
  1. Request parser: every parsed command creates a new tx.
  2. Response parser (tagged, no matching request): midstream/async;
     orphan tagged response gets its own tx.
  3. Response parser (untagged, no incomplete tx): server greeting or
     unsolicited response.

  Once open, messages accumulate:
  - Request side: continuation and literal data attach to the most
    recent incomplete tx.
  - Response side: untagged responses attach to the most recent
    incomplete tx; tagged responses attach via find_request(tag).

  Email extraction happens at most once per tx:
  - From literal data in APPEND commands (request side).
  - From FETCH response data (response side).

  Six hard limits prevent unbounded growth:
  - IMAP_MAX_TX (256, configurable): total transactions. Exceeded:
    all incomplete txs force-completed with TooManyTransactions event.
  - IMAP_MAX_MSGS_PER_TX (512): requests/responses per tx. Exceeded:
    message silently dropped.
  - IMAP_MAX_LINES (512): request/response lines per tx. Exceeded:
    line silently dropped.
  - IMAP_MAX_HEADERS (512): headers in ImapParsedEmail. Exceeded:
    TooManyHeaders event.
  - IMAP_MAX_BODY_SIZE (10 MB): email body in ImapParsedEmail.
    Exceeded: body truncated, BodyTooLarge event.
  - Literal size (u32): bounded by declared size in {N} specifier.

  IMAP_MAX_TX is the only configurable limit, via
  app-layer.protocols.imap.max-tx.

Ticket OISF#8276
@glongo
imap: implement logger
6996436 
This introduces a logger for IMAP protocol.

Ticket OISF#8276
@glongo
imap: implement sticky buffers
48ee9ef 
This implements the following sticky buffers for IMAP protocol:
- imap.request
- imap.response

The following frames have been added:
- imap.body
- imap.headers
- imap.pdu

The following email sticky buffers have been updated to work with IMAP:
- email.from
- email.subject
- email.to
- email.cc
- email.date
- email.message_id
- email.x_mailer

The following email sticky buffers have been added and are supported
only for IMAP:
- email.command
- email.body
- email.header
- email.header.name
- email.header.value

Ticket OISF#8276
@glongo
doc: add imap parser and sticky buffers
e3000bc
@glongo glongo requested review from a team, jasonish, jufajardini and victorjulien as code owners June 11, 2026 20:27
@suricata-qa

suricata-qa commented Jun 11, 2026

Copy link
Copy Markdown

Information: QA ran without warnings.

Pipeline = 31997

@codecov

codecov Bot commented Jun 12, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 81.24759% with 487 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.83%. Comparing base (d154484) to head (e3000bc).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #15617      +/-   ##
==========================================
- Coverage   82.89%   82.83%   -0.07%     
==========================================
  Files        1006     1009       +3     
  Lines      273487   276035    +2548     
==========================================
+ Hits       226710   228654    +1944     
- Misses      46777    47381     +604
Flag Coverage Δ
fuzzcorpus 60.83% <14.27%> (-0.58%) ⬇️
livemode 18.30% <12.33%> (-0.17%) ⬇️
netns 22.62% <12.33%> (-0.16%) ⬇️
pcap 45.34% <61.46%> (+0.11%) ⬆️
suricata-verify 66.71% <73.89%> (+0.05%) ⬆️
unittests 58.47% <53.02%> (-0.06%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@catenacyber catenacyber mentioned this pull request Jun 12, 2026
Closed
@glongo glongo mentioned this pull request Jun 15, 2026
Closed
@glongo

glongo commented Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

Replaced with #15648

@glongo glongo closed this Jun 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner
@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner
@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@glongo @suricata-qa