Snort mailing list archives
Re: IMAP and POP preprocessor do not handle TLS
From: Bhagya Bantwal <bbantwal () sourcefire com>
Date: Wed, 31 Jul 2013 12:25:21 -0400
Bram, Thank you for reporting this issue. A bug has been filed to address this issue. Thanks! B On Wed, Jul 31, 2013 at 9:06 AM, Bram <bram-fabeg () mail wizbit be> wrote:
Hi, The IMAP and POP preprocessor do not handle the switch to TLS correctly. It does 'know' the STARTTLS/STLS command but it doesn't do anything with it... In the SMTP preprocessor the STARTTLS command is (or at least appears to be) handled correctly; similar code in IMAP and POP is most likely needed... The result is that the alerts: * 'IMAP_UNKNOWN_CMD' * 'IMAP_UNKNOWN_RESP' * 'POP_UNKNOWN_CMD' are logged incorrectly. That is: these are logged on SSL packets.. Attached are two capture files: * imap capture file created using: $ openssl s_client -connect 192.168.173.153:143 -starttls imap ... . OK Completed 001 LOGOUT * BYE LOGOUT received 001 OK Completed read:errno=0 * pop capture file created using: $ openssl s_client -ign_eof -connect 192.168.173.153:110-starttls pop3 .... +OK foo.bar.com Cyrus POP3 v2.4.16 server ready QUIT +OK Configuration used: dynamicpreprocessor directory /usr/lib/snort_** dynamicpreprocessor/ preprocessor normalize_tcp: ecn stream preprocessor stream5_global: \ track_tcp yes, \ track_udp no, \ track_icmp no preprocessor stream5_tcp: policy first, ports client 143 110 preprocessor imap: \ ports { 143 } \ b64_decode_depth 0 \ qp_decode_depth 0 \ bitenc_decode_depth 0 \ uu_decode_depth 0 preprocessor pop: \ ports { 110 } \ b64_decode_depth 0 \ qp_decode_depth 0 \ bitenc_decode_depth 0 \ uu_decode_depth 0 alert ( msg: "IMAP_UNKNOWN_CMD"; sid: 1; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; ) alert ( msg: "IMAP_UNKNOWN_RESP"; sid: 2; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; ) alert ( msg: "POP_UNKNOWN_CMD"; sid: 1; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; ) alert ( msg: "POP_UNKNOWN_RESP"; sid: 2; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; ) output alert_fast: stdout Running it: $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r /tmp/imap_starttls.cap 2>&1 | grep '141:' 07/31-16:08:16.664139 [**] [141:1:1] (IMAP) Unknown IMAP4 command [**] [Priority: 0] {TCP} 192.168.173.1:47455 -> 192.168.173.153:143 07/31-16:08:16.683048 [**] [141:2:1] (IMAP) Unknown IMAP4 response [**] [Priority: 0] {TCP} 192.168.173.153:143 -> 192.168.173.1:47455 => alerts generated on packets 11 and 14 which are part of the TLS negotation $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r /tmp/pop_stls.cap 2>&1 | grep '142:' 07/31-16:06:56.783096 [**] [142:1:1] (POP) Unknown POP3 command [**] [Priority: 0] {TCP} 192.168.173.1:46034 -> 192.168.173.153:110 => alert generated on packet 9 which is part of the TLS negotation Best regards, Bram ------------------------------**------------------------------**---- This message was sent using IMP, the Internet Messaging Program.
------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- IMAP and POP preprocessor do not handle TLS Bram (Jul 31)
- Re: IMAP and POP preprocessor do not handle TLS Bhagya Bantwal (Jul 31)