[Snort-devel] smtp: ignore flow after STARTTLS if ignore_tls_data is set

Bram bram-fabeg at ...3414...
Tue Aug 27 03:27:16 EDT 2013


Quoting Florian Westphal <florian.westphal at ...3285...>:
>
>> >
>> > http://strlen.de/fw/starttls-pcap.cap
>>
>> Can you check if this url is correct? It keeps returning a HTML page...
>
> Fixed.

For some value of 'Fixed':
* http://strlen.de/fw/starttls-pcap.cap -> HTML
* http://strlen.de/fw/starttls-test.cap -> actual pcap file

>
>> I would like to take a look at the dump because there are instancens
>> in which snort fails to (correctly) detect the STARTTLS command (a
>> separate message about this will be send to bugs+snort-devel).
>> This may be one of them but I can't tell without the dump..
>
> No, snort detects the smtp exchange and the tls session.

Indeed, the switch to tls is correctly detected.


Best regards,

Bram


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.





More information about the Snort-devel mailing list