Snort mailing list archives
Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set
From: Bram <bram-fabeg () mail wizbit be>
Date: Tue, 27 Aug 2013 08:17:45 +0200
Quoting Florian Westphal <florian.westphal () sophos com>:
Bhagya Bantwal <bbantwal () sourcefire com> wrote:Florian, Thank you for your email. Snort actually does whitelist the SMTP traffic. Code that does that is in SnortSMTP (dir == SMTP_PKT_FROM_CLIENT) line:2370. Snort only parses the Client and server certificates (Not the complete handshake) if ((smtp_ssn->state == STATE_TLS_DATA) || (smtp_ssn->state == STATE_TLS_SERVER_PEND)) { /* if we're ignoring tls data, set a zero length alt buffer */ if (smtp_eval_config->ignore_tls_data) { _dpd.SetAltDecode(0); _dpd.streamAPI->stop_inspection( p->stream_session_ptr, p, SSN_DIR_BOTH, -1, 0 ); return; } }Hm. Does not work for me with 2.9.5.3. http://strlen.de/fw/starttls-pcap.cap
Can you check if this url is correct? It keeps returning a HTML page... I would like to take a look at the dump because there are instancens in which snort fails to (correctly) detect the STARTTLS command (a separate message about this will be send to bugs+snort-devel). This may be one of them but I can't tell without the dump.. Best regards, Bram ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 22)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bhagya Bantwal (Aug 26)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 26)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bram (Aug 27)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 27)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bram (Aug 27)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Florian Westphal (Aug 26)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bhagya Bantwal (Aug 29)
- Re: smtp: ignore flow after STARTTLS if ignore_tls_data is set Bhagya Bantwal (Aug 26)