[Snort-devel] smtp: ignore flow after STARTTLS if ignore_tls_data is set

Bram bram-fabeg at ...3414...
Tue Aug 27 02:17:45 EDT 2013


Quoting Florian Westphal <florian.westphal at ...3285...>:

> Bhagya Bantwal <bbantwal at ...402...> wrote:
>> Florian,
>>
>> Thank you for your email. Snort actually does whitelist the SMTP traffic.
>> Code that does that is in SnortSMTP (dir == SMTP_PKT_FROM_CLIENT)
>> line:2370. Snort only parses the Client and server certificates (Not the
>> complete handshake)
>>
>>        if ((smtp_ssn->state == STATE_TLS_DATA)
>>                 || (smtp_ssn->state == STATE_TLS_SERVER_PEND))
>>         {
>>             /* if we're ignoring tls data, set a zero length alt buffer */
>>             if (smtp_eval_config->ignore_tls_data)
>>             {
>>                 _dpd.SetAltDecode(0);
>>                 _dpd.streamAPI->stop_inspection( p->stream_session_ptr, p,
>> SSN_DIR_BOTH, -1, 0 );
>>                 return;
>>             }
>>         }
>>
> Hm.  Does not work for me with 2.9.5.3.
>
> http://strlen.de/fw/starttls-pcap.cap

Can you check if this url is correct? It keeps returning a HTML page...

I would like to take a look at the dump because there are instancens  
in which snort fails to (correctly) detect the STARTTLS command (a  
separate message about this will be send to bugs+snort-devel).
This may be one of them but I can't tell without the dump..


Best regards,

Bram


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.





More information about the Snort-devel mailing list