[Snort-devel] IMAP and POP preprocessor do not handle TLS

Bhagya Bantwal bbantwal at ...402...
Wed Jul 31 12:25:21 EDT 2013


Bram,

Thank you for reporting this issue. A bug has been filed to address this
issue.

Thanks!

B

On Wed, Jul 31, 2013 at 9:06 AM, Bram <bram-fabeg at ...3414...> wrote:

> Hi,
>
>
> The IMAP and POP preprocessor do not handle the switch to TLS correctly.
> It does 'know' the STARTTLS/STLS command but it doesn't do anything with
> it...
>
> In the SMTP preprocessor the STARTTLS command is (or at least appears to
> be) handled correctly; similar code in IMAP and POP is most likely needed...
>
> The result is that the alerts:
> * 'IMAP_UNKNOWN_CMD'
> * 'IMAP_UNKNOWN_RESP'
> * 'POP_UNKNOWN_CMD'
> are logged incorrectly.
>
> That is: these are logged on SSL packets..
>
> Attached are two capture files:
>
> * imap capture file created using:
>         $ openssl s_client -connect 192.168.173.153:143 -starttls imap
>         ...
>         . OK Completed
>         001 LOGOUT
>         * BYE LOGOUT received
>         001 OK Completed
>         read:errno=0
>
> * pop capture file created using:
>         $ openssl s_client  -ign_eof -connect 192.168.173.153:110-starttls pop3
>         ....
>         +OK foo.bar.com Cyrus POP3 v2.4.16 server ready
>         QUIT
>         +OK
>
> Configuration used:
>         dynamicpreprocessor directory /usr/lib/snort_**
> dynamicpreprocessor/
>         preprocessor normalize_tcp: ecn stream
>         preprocessor stream5_global: \
>            track_tcp yes, \
>            track_udp no, \
>            track_icmp no
>         preprocessor stream5_tcp: policy first, ports client 143 110
>
>         preprocessor imap: \
>             ports { 143 } \
>             b64_decode_depth 0 \
>             qp_decode_depth 0 \
>             bitenc_decode_depth 0 \
>             uu_decode_depth 0
>
>         preprocessor pop: \
>             ports { 110 } \
>             b64_decode_depth 0 \
>             qp_decode_depth 0 \
>             bitenc_decode_depth 0 \
>             uu_decode_depth 0
>
>         alert ( msg: "IMAP_UNKNOWN_CMD"; sid: 1; gid: 141; rev: 1;
> metadata: rule-type preproc, service pop ; )
>         alert ( msg: "IMAP_UNKNOWN_RESP"; sid: 2; gid: 141; rev: 1;
> metadata: rule-type preproc, service pop ; )
>
>         alert ( msg: "POP_UNKNOWN_CMD"; sid: 1; gid: 142; rev: 1;
> metadata: rule-type preproc, service pop ; )
>         alert ( msg: "POP_UNKNOWN_RESP"; sid: 2; gid: 142; rev: 1;
> metadata: rule-type preproc, service pop ; )
>
>         output alert_fast: stdout
>
>
> Running it:
>         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
> -r /tmp/imap_starttls.cap  2>&1 | grep '141:'
>         07/31-16:08:16.664139  [**] [141:1:1] (IMAP) Unknown IMAP4 command
> [**] [Priority: 0] {TCP} 192.168.173.1:47455 -> 192.168.173.153:143
>         07/31-16:08:16.683048  [**] [141:2:1] (IMAP) Unknown IMAP4
> response [**] [Priority: 0] {TCP} 192.168.173.153:143 ->
> 192.168.173.1:47455
>
>         => alerts generated on packets 11 and 14 which are part of the TLS
> negotation
>
>
>         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
> -r /tmp/pop_stls.cap  2>&1 | grep '142:'
>         07/31-16:06:56.783096  [**] [142:1:1] (POP) Unknown POP3 command
> [**] [Priority: 0] {TCP} 192.168.173.1:46034 -> 192.168.173.153:110
>
>         => alert generated on packet 9 which is part of the TLS negotation
>
>
>
> Best regards,
>
> Bram
>
>
> ------------------------------**------------------------------**----
> This message was sent using IMP, the Internet Messaging Program.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130731/2d4b7f70/attachment.html>


More information about the Snort-devel mailing list