Snort mailing list archives
IMAP and POP preprocessor do not handle TLS
From: Bram <bram-fabeg () mail wizbit be>
Date: Wed, 31 Jul 2013 15:06:31 +0200
Hi, The IMAP and POP preprocessor do not handle the switch to TLS correctly. It does 'know' the STARTTLS/STLS command but it doesn't do anything with it...In the SMTP preprocessor the STARTTLS command is (or at least appears to be) handled correctly; similar code in IMAP and POP is most likely needed...
The result is that the alerts:
* 'IMAP_UNKNOWN_CMD'
* 'IMAP_UNKNOWN_RESP'
* 'POP_UNKNOWN_CMD'
are logged incorrectly.
That is: these are logged on SSL packets..
Attached are two capture files:
* imap capture file created using:
$ openssl s_client -connect 192.168.173.153:143 -starttls imap
...
. OK Completed
001 LOGOUT
* BYE LOGOUT received
001 OK Completed
read:errno=0
* pop capture file created using:
$ openssl s_client -ign_eof -connect 192.168.173.153:110 -starttls pop3
....
+OK foo.bar.com Cyrus POP3 v2.4.16 server ready
QUIT
+OK
Configuration used:
dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
preprocessor normalize_tcp: ecn stream
preprocessor stream5_global: \
track_tcp yes, \
track_udp no, \
track_icmp no
preprocessor stream5_tcp: policy first, ports client 143 110
preprocessor imap: \
ports { 143 } \
b64_decode_depth 0 \
qp_decode_depth 0 \
bitenc_decode_depth 0 \
uu_decode_depth 0
preprocessor pop: \
ports { 110 } \
b64_decode_depth 0 \
qp_decode_depth 0 \
bitenc_decode_depth 0 \
uu_decode_depth 0
alert ( msg: "IMAP_UNKNOWN_CMD"; sid: 1; gid: 141; rev: 1; metadata:
rule-type preproc, service pop ; )
alert ( msg: "IMAP_UNKNOWN_RESP"; sid: 2; gid: 141; rev: 1; metadata:
rule-type preproc, service pop ; )
alert ( msg: "POP_UNKNOWN_CMD"; sid: 1; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; ) alert ( msg: "POP_UNKNOWN_RESP"; sid: 2; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; )
output alert_fast: stdout
Running it:
$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r
/tmp/imap_starttls.cap 2>&1 | grep '141:'
07/31-16:08:16.664139 [**] [141:1:1] (IMAP) Unknown IMAP4 command
[**] [Priority: 0] {TCP} 192.168.173.1:47455 -> 192.168.173.153:143
07/31-16:08:16.683048 [**] [141:2:1] (IMAP) Unknown IMAP4 response
[**] [Priority: 0] {TCP} 192.168.173.153:143 -> 192.168.173.1:47455
=> alerts generated on packets 11 and 14 which are part of the TLS negotation
$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r
/tmp/pop_stls.cap 2>&1 | grep '142:'
07/31-16:06:56.783096 [**] [142:1:1] (POP) Unknown POP3 command [**]
[Priority: 0] {TCP} 192.168.173.1:46034 -> 192.168.173.153:110
=> alert generated on packet 9 which is part of the TLS negotation
Best regards,
Bram
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Attachment:
imap_starttls.cap
Description:
Attachment:
pop_stls.cap
Description:
------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- IMAP and POP preprocessor do not handle TLS Bram (Jul 31)
- Re: IMAP and POP preprocessor do not handle TLS Bhagya Bantwal (Jul 31)