[Snort-devel] IMAP and POP preprocessor do not handle TLS

Bram bram-fabeg at ...3414...
Wed Jul 31 09:06:31 EDT 2013


Hi,


The IMAP and POP preprocessor do not handle the switch to TLS correctly.
It does 'know' the STARTTLS/STLS command but it doesn't do anything with it...

In the SMTP preprocessor the STARTTLS command is (or at least appears  
to be) handled correctly; similar code in IMAP and POP is most likely  
needed...

The result is that the alerts:
* 'IMAP_UNKNOWN_CMD'
* 'IMAP_UNKNOWN_RESP'
* 'POP_UNKNOWN_CMD'
are logged incorrectly.

That is: these are logged on SSL packets..

Attached are two capture files:

* imap capture file created using:
	$ openssl s_client -connect 192.168.173.153:143 -starttls imap
	...
	. OK Completed
	001 LOGOUT
	* BYE LOGOUT received
	001 OK Completed
	read:errno=0

* pop capture file created using:
	$ openssl s_client  -ign_eof -connect 192.168.173.153:110 -starttls pop3
	....
	+OK foo.bar.com Cyrus POP3 v2.4.16 server ready
	QUIT
	+OK

Configuration used:
	dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
	preprocessor normalize_tcp: ecn stream
	preprocessor stream5_global: \
	   track_tcp yes, \
	   track_udp no, \
	   track_icmp no
	preprocessor stream5_tcp: policy first, ports client 143 110

	preprocessor imap: \
	    ports { 143 } \
	    b64_decode_depth 0 \
	    qp_decode_depth 0 \
	    bitenc_decode_depth 0 \
	    uu_decode_depth 0

	preprocessor pop: \
	    ports { 110 } \
	    b64_decode_depth 0 \
	    qp_decode_depth 0 \
	    bitenc_decode_depth 0 \
	    uu_decode_depth 0

	alert ( msg: "IMAP_UNKNOWN_CMD"; sid: 1; gid: 141; rev: 1; metadata:  
rule-type preproc, service pop ; )
	alert ( msg: "IMAP_UNKNOWN_RESP"; sid: 2; gid: 141; rev: 1; metadata:  
rule-type preproc, service pop ; )

	alert ( msg: "POP_UNKNOWN_CMD"; sid: 1; gid: 142; rev: 1; metadata:  
rule-type preproc, service pop ; )
	alert ( msg: "POP_UNKNOWN_RESP"; sid: 2; gid: 142; rev: 1; metadata:  
rule-type preproc, service pop ; )

	output alert_fast: stdout


Running it:
	$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r  
/tmp/imap_starttls.cap  2>&1 | grep '141:'
	07/31-16:08:16.664139  [**] [141:1:1] (IMAP) Unknown IMAP4 command  
[**] [Priority: 0] {TCP} 192.168.173.1:47455 -> 192.168.173.153:143
	07/31-16:08:16.683048  [**] [141:2:1] (IMAP) Unknown IMAP4 response  
[**] [Priority: 0] {TCP} 192.168.173.153:143 -> 192.168.173.1:47455

	=> alerts generated on packets 11 and 14 which are part of the TLS negotation


	$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r  
/tmp/pop_stls.cap  2>&1 | grep '142:'
	07/31-16:06:56.783096  [**] [142:1:1] (POP) Unknown POP3 command [**]  
[Priority: 0] {TCP} 192.168.173.1:46034 -> 192.168.173.153:110

	=> alert generated on packet 9 which is part of the TLS negotation



Best regards,

Bram


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: imap_starttls.cap
Type: application/octet-stream
Size: 4673 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130731/ebd20aef/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pop_stls.cap
Type: application/octet-stream
Size: 4122 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130731/ebd20aef/attachment-0001.obj>


More information about the Snort-devel mailing list