[Snort-devel] smtp: ignore flow after STARTTLS if ignore_tls_data is set

Bhagya Bantwal bbantwal at ...402...
Thu Aug 29 10:17:00 EDT 2013


Hello Florian,

Actually the fix that I mentioned is going in a later release. Sorry for
the confusion.

Thank you for reporting this fix!

Thanks!

Bhagya


On Mon, Aug 26, 2013 at 11:40 AM, Florian Westphal <
florian.westphal at ...3285...> wrote:

> Bhagya Bantwal <bbantwal at ...402...> wrote:
> > Florian,
> >
> > Thank you for your email. Snort actually does whitelist the SMTP traffic.
> > Code that does that is in SnortSMTP (dir == SMTP_PKT_FROM_CLIENT)
> > line:2370. Snort only parses the Client and server certificates (Not the
> > complete handshake)
> >
> >        if ((smtp_ssn->state == STATE_TLS_DATA)
> >                 || (smtp_ssn->state == STATE_TLS_SERVER_PEND))
> >         {
> >             /* if we're ignoring tls data, set a zero length alt buffer
> */
> >             if (smtp_eval_config->ignore_tls_data)
> >             {
> >                 _dpd.SetAltDecode(0);
> >                 _dpd.streamAPI->stop_inspection( p->stream_session_ptr,
> p,
> > SSN_DIR_BOTH, -1, 0 );
> >                 return;
> >             }
> >         }
> >
> Hm.  Does not work for me with 2.9.5.3.
>
> http://strlen.de/fw/starttls-pcap.cap
>
> $ src/snort -r ~/starttls-test.cap  -c snort.conf -k none -K none -P 0xffff
> [..]
> Verdicts:
>       Allow:           26 (100.000%)
>       Block:            0 (  0.000%)
>     Replace:            0 (  0.000%)
>   Whitelist:            0 (  0.000%)
>   Blacklist:            0 (  0.000%)
>      Ignore:            0 (  0.000%)
>
> With patch, i get "Whitelist: 16"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130829/52a0aad2/attachment.html>


More information about the Snort-devel mailing list