Snort mailing list archives

Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set

From: Bhagya Bantwal <bbantwal () sourcefire com>
Date: Thu, 29 Aug 2013 10:17:00 -0400

Hello Florian,

Actually the fix that I mentioned is going in a later release. Sorry for
the confusion.

Thank you for reporting this fix!

Thanks!

Bhagya


On Mon, Aug 26, 2013 at 11:40 AM, Florian Westphal <
florian.westphal () sophos com> wrote:

Bhagya Bantwal <bbantwal () sourcefire com> wrote:

Florian,

Thank you for your email. Snort actually does whitelist the SMTP traffic.
Code that does that is in SnortSMTP (dir == SMTP_PKT_FROM_CLIENT)
line:2370. Snort only parses the Client and server certificates (Not the
complete handshake)

       if ((smtp_ssn->state == STATE_TLS_DATA)
                || (smtp_ssn->state == STATE_TLS_SERVER_PEND))
        {
            /* if we're ignoring tls data, set a zero length alt buffer

*/

            if (smtp_eval_config->ignore_tls_data)
            {
                _dpd.SetAltDecode(0);
                _dpd.streamAPI->stop_inspection( p->stream_session_ptr,

p,

SSN_DIR_BOTH, -1, 0 );
                return;
            }
        }

Hm.  Does not work for me with 2.9.5.3.

http://strlen.de/fw/starttls-pcap.cap

$ src/snort -r ~/starttls-test.cap  -c snort.conf -k none -K none -P 0xffff
[..]
Verdicts:
      Allow:           26 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)

With patch, i get "Whitelist: 16"

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 22)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bhagya Bantwal (Aug 26)
  - Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 26)
    - Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bram (Aug 27)
    - Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 27)
    - Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bram (Aug 27)
    - Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bhagya Bantwal (Aug 29)