[Snort-devel] smtp: ignore flow after STARTTLS if ignore_tls_data is set

Florian Westphal florian.westphal at ...3285...
Thu Aug 22 11:10:44 EDT 2013


Hi.

The SMTP preprocessor correctly detects STARTTLS handshake, but it does
not whitelist the remainder of the flow.

Is there any reason why?  This patch seems to do what I want:

Thanks,
Florian

diff --git a/src/dynamic-preprocessors/smtp/snort_smtp.c b/src/dynamic-preprocessors/smtp/snort_smtp.c
--- a/src/dynamic-preprocessors/smtp/snort_smtp.c
+++ b/src/dynamic-preprocessors/smtp/snort_smtp.c
@@ -2093,8 +2093,11 @@ static int SMTP_ProcessServerPacket(SFSnortPacket *p, int *next_state)
         /* Ignore data */
         if (smtp_eval_config->ignore_tls_data)
         {
-            DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Ignoring Server TLS encrypted data\n"););
-            _dpd.SetAltDecode(0);
+            DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Stopping TLS session inspection\n"););
+            _dpd.streamAPI->stop_inspection(
+				p->stream_session_ptr,
+				p, SSN_DIR_BOTH, -1, 0 );
+
         }
 
         return 0;
@@ -2176,8 +2179,11 @@ static int SMTP_ProcessServerPacket(SFSnortPacket *p, int *next_state)
                 /* Ignore data */
                 if (smtp_eval_config->ignore_tls_data)
                 {
-                    DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Ignoring Server TLS encrypted data\n"););
-                    _dpd.SetAltDecode(0);
+                    DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Stopping TLS session inspection\n"););
+                    _dpd.streamAPI->stop_inspection(
+				p->stream_session_ptr,
+				p, SSN_DIR_BOTH, -1, 0 );
+
                 }
 
                 return 0;




More information about the Snort-devel mailing list