Snort mailing list archives
Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set
From: Florian Westphal <florian.westphal () sophos com>
Date: Mon, 26 Aug 2013 17:40:00 +0200
Bhagya Bantwal <bbantwal () sourcefire com> wrote:
Florian, Thank you for your email. Snort actually does whitelist the SMTP traffic. Code that does that is in SnortSMTP (dir == SMTP_PKT_FROM_CLIENT) line:2370. Snort only parses the Client and server certificates (Not the complete handshake) if ((smtp_ssn->state == STATE_TLS_DATA) || (smtp_ssn->state == STATE_TLS_SERVER_PEND)) { /* if we're ignoring tls data, set a zero length alt buffer */ if (smtp_eval_config->ignore_tls_data) { _dpd.SetAltDecode(0); _dpd.streamAPI->stop_inspection( p->stream_session_ptr, p, SSN_DIR_BOTH, -1, 0 ); return; } }
Hm. Does not work for me with 2.9.5.3. http://strlen.de/fw/starttls-pcap.cap $ src/snort -r ~/starttls-test.cap -c snort.conf -k none -K none -P 0xffff [..] Verdicts: Allow: 26 (100.000%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) With patch, i get "Whitelist: 16" ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 22)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bhagya Bantwal (Aug 26)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 26)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bram (Aug 27)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 27)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bram (Aug 27)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 26)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bhagya Bantwal (Aug 29)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bhagya Bantwal (Aug 26)