Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set

[Bhagya Bantwal <bbantwal () sourcefire com>]

Florian,

Thank you for your email. Snort actually does whitelist the SMTP traffic.

Code that does that is in SnortSMTP (dir == SMTP_PKT_FROM_CLIENT)
line:2370. Snort only parses the Client and server certificates (Not the
complete handshake)

       if ((smtp_ssn->state == STATE_TLS_DATA)
                || (smtp_ssn->state == STATE_TLS_SERVER_PEND))
        {
            /* if we're ignoring tls data, set a zero length alt buffer */
            if (smtp_eval_config->ignore_tls_data)
            {
                _dpd.SetAltDecode(0);
                _dpd.streamAPI->stop_inspection( p->stream_session_ptr, p,
SSN_DIR_BOTH, -1, 0 );
                return;
            }
        }


Thanks

Bhagya

On Thu, Aug 22, 2013 at 11:10 AM, Florian Westphal <
florian.westphal () sophos com> wrote:

> Hi.
>
> The SMTP preprocessor correctly detects STARTTLS handshake, but it does
> not whitelist the remainder of the flow.
>
> Is there any reason why?  This patch seems to do what I want:
>
> Thanks,
> Florian
>
> diff --git a/src/dynamic-preprocessors/smtp/snort_smtp.c
> b/src/dynamic-preprocessors/smtp/snort_smtp.c
> --- a/src/dynamic-preprocessors/smtp/snort_smtp.c
> +++ b/src/dynamic-preprocessors/smtp/snort_smtp.c
> @@ -2093,8 +2093,11 @@ static int SMTP_ProcessServerPacket(SFSnortPacket
> *p, int *next_state)
>          /* Ignore data */
>          if (smtp_eval_config->ignore_tls_data)
>          {
> -            DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Ignoring Server TLS
> encrypted data\n"););
> -            _dpd.SetAltDecode(0);
> +            DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Stopping TLS session
> inspection\n"););
> +            _dpd.streamAPI->stop_inspection(
> +                               p->stream_session_ptr,
> +                               p, SSN_DIR_BOTH, -1, 0 );
> +
>          }
>
>          return 0;
> @@ -2176,8 +2179,11 @@ static int SMTP_ProcessServerPacket(SFSnortPacket
> *p, int *next_state)
>                  /* Ignore data */
>                  if (smtp_eval_config->ignore_tls_data)
>                  {
> -                    DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Ignoring Server
> TLS encrypted data\n"););
> -                    _dpd.SetAltDecode(0);
> +                    DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Stopping TLS
> session inspection\n"););
> +                    _dpd.streamAPI->stop_inspection(
> +                               p->stream_session_ptr,
> +                               p, SSN_DIR_BOTH, -1, 0 );
> +
>                  }
>
>                  return 0;
>
>
> ------------------------------------------------------------------------------
> Introducing Performance Central, a new site from SourceForge and
> AppDynamics. Performance Central is your source for news, insights,
> analysis and resources for efficient Application Performance Management.
> Visit us today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!