Snort mailing list archives
smtp: ignore flow after STARTTLS if ignore_tls_data is set
From: Florian Westphal <florian.westphal () sophos com>
Date: Thu, 22 Aug 2013 17:10:44 +0200
Hi. The SMTP preprocessor correctly detects STARTTLS handshake, but it does not whitelist the remainder of the flow. Is there any reason why? This patch seems to do what I want: Thanks, Florian diff --git a/src/dynamic-preprocessors/smtp/snort_smtp.c b/src/dynamic-preprocessors/smtp/snort_smtp.c --- a/src/dynamic-preprocessors/smtp/snort_smtp.c +++ b/src/dynamic-preprocessors/smtp/snort_smtp.c @@ -2093,8 +2093,11 @@ static int SMTP_ProcessServerPacket(SFSnortPacket *p, int *next_state) /* Ignore data */ if (smtp_eval_config->ignore_tls_data) { - DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Ignoring Server TLS encrypted data\n");); - _dpd.SetAltDecode(0); + DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Stopping TLS session inspection\n");); + _dpd.streamAPI->stop_inspection( + p->stream_session_ptr, + p, SSN_DIR_BOTH, -1, 0 ); + } return 0; @@ -2176,8 +2179,11 @@ static int SMTP_ProcessServerPacket(SFSnortPacket *p, int *next_state) /* Ignore data */ if (smtp_eval_config->ignore_tls_data) { - DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Ignoring Server TLS encrypted data\n");); - _dpd.SetAltDecode(0); + DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Stopping TLS session inspection\n");); + _dpd.streamAPI->stop_inspection( + p->stream_session_ptr, + p, SSN_DIR_BOTH, -1, 0 ); + } return 0; ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 22)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bhagya Bantwal (Aug 26)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 26)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bram (Aug 27)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 27)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bram (Aug 27)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 26)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bhagya Bantwal (Aug 29)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bhagya Bantwal (Aug 26)