Snort mailing list archives

Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set

From: Florian Westphal <florian.westphal () sophos com>
Date: Tue, 27 Aug 2013 09:33:54 +0200

Bram <bram-fabeg () mail wizbit be> wrote:

Quoting Florian Westphal <florian.westphal () sophos com>:

Thank you for your email. Snort actually does whitelist the SMTP traffic.
Code that does that is in SnortSMTP (dir == SMTP_PKT_FROM_CLIENT)
line:2370. Snort only parses the Client and server certificates (Not the
complete handshake)

       if ((smtp_ssn->state == STATE_TLS_DATA)
                || (smtp_ssn->state == STATE_TLS_SERVER_PEND))
        {
            /* if we're ignoring tls data, set a zero length alt buffer */
            if (smtp_eval_config->ignore_tls_data)
            {
                _dpd.SetAltDecode(0);
                _dpd.streamAPI->stop_inspection( p->stream_session_ptr, p,
SSN_DIR_BOTH, -1, 0 );
                return;
            }
        }

Hm.  Does not work for me with 2.9.5.3.

http://strlen.de/fw/starttls-pcap.cap


Can you check if this url is correct? It keeps returning a HTML page...


Fixed.

I would like to take a look at the dump because there are instancens  
in which snort fails to (correctly) detect the STARTTLS command (a  
separate message about this will be send to bugs+snort-devel).
This may be one of them but I can't tell without the dump..


No, snort detects the smtp exchange and the tls session.

The code quoted above is not part of 2.9.5.3, so my guess is that
whitelisting has been added after that release.

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 22)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bhagya Bantwal (Aug 26)
  - Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 26)
    - Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bram (Aug 27)
    - Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 27)
    - Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bram (Aug 27)
    - Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bhagya Bantwal (Aug 29)