[Snort-devel] smtp: ignore flow after STARTTLS if ignore_tls_data is set

Bram bram-fabeg at ...3414...
Tue Aug 27 03:27:16 EDT 2013

Quoting Florian Westphal <florian.westphal at ...3285...>:
>> >
>> > http://strlen.de/fw/starttls-pcap.cap
>> Can you check if this url is correct? It keeps returning a HTML page...
> Fixed.

For some value of 'Fixed':
* http://strlen.de/fw/starttls-pcap.cap -> HTML
* http://strlen.de/fw/starttls-test.cap -> actual pcap file

>> I would like to take a look at the dump because there are instancens
>> in which snort fails to (correctly) detect the STARTTLS command (a
>> separate message about this will be send to bugs+snort-devel).
>> This may be one of them but I can't tell without the dump..
> No, snort detects the smtp exchange and the tls session.

Indeed, the switch to tls is correctly detected.

Best regards,


This message was sent using IMP, the Internet Messaging Program.

More information about the Snort-devel mailing list