Snort mailing list archives
Re: IMAP and POP preprocessor do not handle TLS
From: Bhagya Bantwal <bbantwal () sourcefire com>
Date: Wed, 31 Jul 2013 12:25:21 -0400
Bram, Thank you for reporting this issue. A bug has been filed to address this issue. Thanks! B On Wed, Jul 31, 2013 at 9:06 AM, Bram <bram-fabeg () mail wizbit be> wrote:
Hi,
The IMAP and POP preprocessor do not handle the switch to TLS correctly.
It does 'know' the STARTTLS/STLS command but it doesn't do anything with
it...
In the SMTP preprocessor the STARTTLS command is (or at least appears to
be) handled correctly; similar code in IMAP and POP is most likely needed...
The result is that the alerts:
* 'IMAP_UNKNOWN_CMD'
* 'IMAP_UNKNOWN_RESP'
* 'POP_UNKNOWN_CMD'
are logged incorrectly.
That is: these are logged on SSL packets..
Attached are two capture files:
* imap capture file created using:
$ openssl s_client -connect 192.168.173.153:143 -starttls imap
...
. OK Completed
001 LOGOUT
* BYE LOGOUT received
001 OK Completed
read:errno=0
* pop capture file created using:
$ openssl s_client -ign_eof -connect 192.168.173.153:110-starttls pop3
....
+OK foo.bar.com Cyrus POP3 v2.4.16 server ready
QUIT
+OK
Configuration used:
dynamicpreprocessor directory /usr/lib/snort_**
dynamicpreprocessor/
preprocessor normalize_tcp: ecn stream
preprocessor stream5_global: \
track_tcp yes, \
track_udp no, \
track_icmp no
preprocessor stream5_tcp: policy first, ports client 143 110
preprocessor imap: \
ports { 143 } \
b64_decode_depth 0 \
qp_decode_depth 0 \
bitenc_decode_depth 0 \
uu_decode_depth 0
preprocessor pop: \
ports { 110 } \
b64_decode_depth 0 \
qp_decode_depth 0 \
bitenc_decode_depth 0 \
uu_decode_depth 0
alert ( msg: "IMAP_UNKNOWN_CMD"; sid: 1; gid: 141; rev: 1;
metadata: rule-type preproc, service pop ; )
alert ( msg: "IMAP_UNKNOWN_RESP"; sid: 2; gid: 141; rev: 1;
metadata: rule-type preproc, service pop ; )
alert ( msg: "POP_UNKNOWN_CMD"; sid: 1; gid: 142; rev: 1;
metadata: rule-type preproc, service pop ; )
alert ( msg: "POP_UNKNOWN_RESP"; sid: 2; gid: 142; rev: 1;
metadata: rule-type preproc, service pop ; )
output alert_fast: stdout
Running it:
$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
-r /tmp/imap_starttls.cap 2>&1 | grep '141:'
07/31-16:08:16.664139 [**] [141:1:1] (IMAP) Unknown IMAP4 command
[**] [Priority: 0] {TCP} 192.168.173.1:47455 -> 192.168.173.153:143
07/31-16:08:16.683048 [**] [141:2:1] (IMAP) Unknown IMAP4
response [**] [Priority: 0] {TCP} 192.168.173.153:143 ->
192.168.173.1:47455
=> alerts generated on packets 11 and 14 which are part of the TLS
negotation
$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
-r /tmp/pop_stls.cap 2>&1 | grep '142:'
07/31-16:06:56.783096 [**] [142:1:1] (POP) Unknown POP3 command
[**] [Priority: 0] {TCP} 192.168.173.1:46034 -> 192.168.173.153:110
=> alert generated on packet 9 which is part of the TLS negotation
Best regards,
Bram
------------------------------**------------------------------**----
This message was sent using IMP, the Internet Messaging Program.
------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- IMAP and POP preprocessor do not handle TLS Bram (Jul 31)
- Re: IMAP and POP preprocessor do not handle TLS Bhagya Bantwal (Jul 31)