Snort mailing list archives

smtp: ignore flow after STARTTLS if ignore_tls_data is set

From: Florian Westphal <florian.westphal () sophos com>
Date: Thu, 22 Aug 2013 17:10:44 +0200

Hi.

The SMTP preprocessor correctly detects STARTTLS handshake, but it does
not whitelist the remainder of the flow.

Is there any reason why?  This patch seems to do what I want:

Thanks,
Florian

diff --git a/src/dynamic-preprocessors/smtp/snort_smtp.c b/src/dynamic-preprocessors/smtp/snort_smtp.c
--- a/src/dynamic-preprocessors/smtp/snort_smtp.c
+++ b/src/dynamic-preprocessors/smtp/snort_smtp.c
@@ -2093,8 +2093,11 @@ static int SMTP_ProcessServerPacket(SFSnortPacket *p, int *next_state)
         /* Ignore data */
         if (smtp_eval_config->ignore_tls_data)
         {
-            DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Ignoring Server TLS encrypted data\n"););
-            _dpd.SetAltDecode(0);
+            DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Stopping TLS session inspection\n"););
+            _dpd.streamAPI->stop_inspection(
+                               p->stream_session_ptr,
+                               p, SSN_DIR_BOTH, -1, 0 );
+
         }
 
         return 0;
@@ -2176,8 +2179,11 @@ static int SMTP_ProcessServerPacket(SFSnortPacket *p, int *next_state)
                 /* Ignore data */
                 if (smtp_eval_config->ignore_tls_data)
                 {
-                    DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Ignoring Server TLS encrypted data\n"););
-                    _dpd.SetAltDecode(0);
+                    DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Stopping TLS session inspection\n"););
+                    _dpd.streamAPI->stop_inspection(
+                               p->stream_session_ptr,
+                               p, SSN_DIR_BOTH, -1, 0 );
+
                 }
 
                 return 0;

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 22)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bhagya Bantwal (Aug 26)
  - Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 26)
    - Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bram (Aug 27)
    - Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 27)
    - Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bram (Aug 27)
    - Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bhagya Bantwal (Aug 29)