imap: extend detection patterns - v6

[mmaatuq]

Ticket: #2886

Make sure these boxes are signed before submitting your Pull Request -- thank you.

• I have read the contributing guide lines at
  https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
• I have signed the Open Information Security Foundation contribution agreement at
  https://suricata.io/about/contribution-agreement/ (note: this is only required once)
• I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)

Link to redmine ticket:2886

Describe changes:

• extend detection patterns for imap protocol as per rfc9051
• compared to this previous PR notes on PR imap: extend detection patterns - v5 #10740 were incorporated.
• this is not comprehensive and might create more false positives, but i think this tradeoff is acceptable, and we can overcome these limitations when we add a complete parser.

SV_BRANCH=OISF/suricata-verify#1768

[github-actions]

NOTE: This PR may contain new authors.

[catenacyber]

Thanks for the work :-)

This PR looks good to me, but the SV one needs a small update

• CI : 🟢
• Code : Looking good for me
• Commits segmentation : ok
• Commit messages : ok for me
• Git ID set : looks fine for me
• CLA : I do not have the access to check it
• Doc update : not needed
• Redmine ticket : ok
• Rustfmt : not needed
• Tests : 🟠 Left one remark there
• Dependencies added: none

[catenacyber]

@mmaatuq could you please rebase and fix the conflict ?

[github-actions]

NOTE: This PR may contain new authors.

[codecov]

Codecov Report

Attention: Patch coverage is 70.58824% with 10 lines in your changes are missing coverage. Please review.

Project coverage is 79.76%. Comparing base (10a367b) to head (053c21c).

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #10851      +/-   ##
==========================================
- Coverage   82.96%   79.76%   -3.21%     
==========================================
  Files         942      943       +1     
  Lines      250569   250418     -151     
==========================================
- Hits       207876   199735    -8141     
- Misses      42693    50683    +7990     

Flag	Coverage Δ
fuzzcorpus	61.29% <70.58%> (+<0.01%)	⬆️
livemode	18.71% <70.58%> (+0.01%)	⬆️
pcap	44.29% <70.58%> (-0.21%)	⬇️
suricata-verify	?
unittests	60.65% <70.58%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

[catenacyber]

I guess this needs a rebase for both suricata-verify PR and this one to get CI green

[mmaatuq]

I think I'll have to do this for couple of more weeks :D

…

On Fri, May 31, 2024, 00:12 Catena cyber ***@***.***> wrote: I guess this needs a rebase for both suricata-verify PR and this one to get CI green — Reply to this email directly, view it on GitHub <#10851 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACLAVPUHEDPW2GZT7CYH3BDZE6B3NAVCNFSM6AAAAABGIBACBSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBQG44TCNBRGA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[catenacyber]

Needs a rebase (for SV as well)

[github-actions]

NOTE: This PR may contain new authors.

[mmaatuq]

I'm running CentOS Stream 8 and the 3 reported failed tests, pass on that machine.

[catenacyber]

I'm running CentOS Stream 8 and the 3 reported failed tests, pass on that machine.

You should likely create a new rebased SV PR (to avoid some GitHub caching)