Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set

From: Bram <bram-fabeg () mail wizbit be>
Date: Tue, 27 Aug 2013 09:27:16 +0200
Quoting Florian Westphal <florian.westphal () sophos com>:




http://strlen.de/fw/starttls-pcap.cap


Can you check if this url is correct? It keeps returning a HTML page...


Fixed.


For some value of 'Fixed':
* http://strlen.de/fw/starttls-pcap.cap -> HTML
* http://strlen.de/fw/starttls-test.cap -> actual pcap file




I would like to take a look at the dump because there are instancens
in which snort fails to (correctly) detect the STARTTLS command (a
separate message about this will be send to bugs+snort-devel).
This may be one of them but I can't tell without the dump..


No, snort detects the smtp exchange and the tls session.


Indeed, the switch to tls is correctly detected.


Best regards,

Bram


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: