Snort mailing list archives
Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set
From: Florian Westphal <florian.westphal () sophos com>
Date: Tue, 27 Aug 2013 09:33:54 +0200
Bram <bram-fabeg () mail wizbit be> wrote:
Quoting Florian Westphal <florian.westphal () sophos com>:Thank you for your email. Snort actually does whitelist the SMTP traffic. Code that does that is in SnortSMTP (dir == SMTP_PKT_FROM_CLIENT) line:2370. Snort only parses the Client and server certificates (Not the complete handshake) if ((smtp_ssn->state == STATE_TLS_DATA) || (smtp_ssn->state == STATE_TLS_SERVER_PEND)) { /* if we're ignoring tls data, set a zero length alt buffer */ if (smtp_eval_config->ignore_tls_data) { _dpd.SetAltDecode(0); _dpd.streamAPI->stop_inspection( p->stream_session_ptr, p, SSN_DIR_BOTH, -1, 0 ); return; } }Hm. Does not work for me with 2.9.5.3. http://strlen.de/fw/starttls-pcap.capCan you check if this url is correct? It keeps returning a HTML page...
Fixed.
I would like to take a look at the dump because there are instancens in which snort fails to (correctly) detect the STARTTLS command (a separate message about this will be send to bugs+snort-devel). This may be one of them but I can't tell without the dump..
No, snort detects the smtp exchange and the tls session. The code quoted above is not part of 2.9.5.3, so my guess is that whitelisting has been added after that release. ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 22)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bhagya Bantwal (Aug 26)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 26)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bram (Aug 27)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 27)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bram (Aug 27)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 26)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bhagya Bantwal (Aug 29)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bhagya Bantwal (Aug 26)