[Snort-devel] smtp: ignore flow after STARTTLS if ignore_tls_data is set

Florian Westphal florian.westphal at ...3285...
Mon Aug 26 11:40:00 EDT 2013


Bhagya Bantwal <bbantwal at ...402...> wrote:
> Florian,
> 
> Thank you for your email. Snort actually does whitelist the SMTP traffic.
> Code that does that is in SnortSMTP (dir == SMTP_PKT_FROM_CLIENT)
> line:2370. Snort only parses the Client and server certificates (Not the
> complete handshake)
> 
>        if ((smtp_ssn->state == STATE_TLS_DATA)
>                 || (smtp_ssn->state == STATE_TLS_SERVER_PEND))
>         {
>             /* if we're ignoring tls data, set a zero length alt buffer */
>             if (smtp_eval_config->ignore_tls_data)
>             {
>                 _dpd.SetAltDecode(0);
>                 _dpd.streamAPI->stop_inspection( p->stream_session_ptr, p,
> SSN_DIR_BOTH, -1, 0 );
>                 return;
>             }
>         }
> 
Hm.  Does not work for me with 2.9.5.3.

http://strlen.de/fw/starttls-pcap.cap

$ src/snort -r ~/starttls-test.cap  -c snort.conf -k none -K none -P 0xffff
[..]
Verdicts:
      Allow:           26 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)

With patch, i get "Whitelist: 16"




More information about the Snort-devel mailing list