[Snort-devel] smtp: ignore flow after STARTTLS if ignore_tls_data is set

Florian Westphal florian.westphal at ...3285...
Tue Aug 27 03:33:54 EDT 2013


Bram <bram-fabeg at ...3414...> wrote:
> Quoting Florian Westphal <florian.westphal at ...3285...>:
> >> Thank you for your email. Snort actually does whitelist the SMTP traffic.
> >> Code that does that is in SnortSMTP (dir == SMTP_PKT_FROM_CLIENT)
> >> line:2370. Snort only parses the Client and server certificates (Not the
> >> complete handshake)
> >>
> >>        if ((smtp_ssn->state == STATE_TLS_DATA)
> >>                 || (smtp_ssn->state == STATE_TLS_SERVER_PEND))
> >>         {
> >>             /* if we're ignoring tls data, set a zero length alt buffer */
> >>             if (smtp_eval_config->ignore_tls_data)
> >>             {
> >>                 _dpd.SetAltDecode(0);
> >>                 _dpd.streamAPI->stop_inspection( p->stream_session_ptr, p,
> >> SSN_DIR_BOTH, -1, 0 );
> >>                 return;
> >>             }
> >>         }
> >>
> > Hm.  Does not work for me with 2.9.5.3.
> >
> > http://strlen.de/fw/starttls-pcap.cap
> 
> Can you check if this url is correct? It keeps returning a HTML page...

Fixed.

> I would like to take a look at the dump because there are instancens  
> in which snort fails to (correctly) detect the STARTTLS command (a  
> separate message about this will be send to bugs+snort-devel).
> This may be one of them but I can't tell without the dump..

No, snort detects the smtp exchange and the tls session.

The code quoted above is not part of 2.9.5.3, so my guess is that
whitelisting has been added after that release.




More information about the Snort-devel mailing list