{ "450", 3, RESP_450, SMTP_CMD_TYPE_NORMAL }, /* Mailbox unavailable */
{ "451", 3, RESP_451, SMTP_CMD_TYPE_NORMAL }, /* Local error in processing */
{ "452", 3, RESP_452, SMTP_CMD_TYPE_NORMAL }, /* Insufficient system storage */
+ { "454", 3, RESP_454, SMTP_CMD_TYPE_NORMAL }, /* TLS not available due to temporary reason */
{ "500", 3, RESP_500, SMTP_CMD_TYPE_NORMAL }, /* Command unrecognized */
{ "501", 3, RESP_501, SMTP_CMD_TYPE_NORMAL }, /* Syntax error in parameters or arguments */
{ "502", 3, RESP_502, SMTP_CMD_TYPE_NORMAL }, /* Command not implemented */
/* see if we actually found a command and not a substring */
if (cmd_found > 0)
{
+ if (!smtp_ssn->client_requested_starttls)
+ ++smtp_ssn->pipelined_command_counter;
+
const uint8_t* tmp = ptr;
const uint8_t* cmd_start = ptr + smtp_search_info.index;
const uint8_t* cmd_end = cmd_start + smtp_search_info.length;
DetectionEngine::queue_event(GID_SMTP, SMTP_ILLEGAL_CMD);
}
+ bool alert_on_command_injection = smtp_ssn->client_requested_starttls;
+
switch (smtp_search_info.id)
{
/* unless we do our own parsing of MAIL and RCTP commands we have to assume they
case CMD_EHLO:
case CMD_QUIT:
smtp_ssn->state_flags &= ~(SMTP_FLAG_GOT_MAIL_CMD | SMTP_FLAG_GOT_RCPT_CMD);
+ smtp_ssn->client_requested_starttls = false;
+ smtp_ssn->server_accepted_starttls = false;
+ smtp_ssn->pipelined_command_counter = 0;
+ alert_on_command_injection = false;
break;
* command in reassembled packet and if not reassembled it should be the
* last line in the packet as you can't pipeline the tls hello */
if (eol == end)
+ {
smtp_ssn->state = STATE_TLS_CLIENT_PEND;
-
+ smtp_ssn->client_requested_starttls = true;
+ }
+
break;
case CMD_X_LINK2STATE:
return nullptr;
}
+ /*If client sends another command after STARTTLS raise the alert of command injection
+ STARTTLS command should be the last command when PIPELINING*/
+ if (alert_on_command_injection)
+ {
+ DetectionEngine::queue_event(GID_SMTP, SMTP_STARTTLS_INJECTION_ATTEMPT);
+ }
+
return eol;
}
if (IsTlsServerHello(ptr, end))
{
smtp_ssn->state = STATE_TLS_DATA;
+ //TLS server hello received, reset flag
+ smtp_ssn->server_accepted_starttls = false;
}
else if ( !p->test_session_flags(SSNFLAG_MIDSTREAM)
&& !Stream::missed_packets(p->flow, SSN_DIR_BOTH))
if (smtp_ssn->state == STATE_CONNECT)
smtp_ssn->state = STATE_COMMAND;
- if (smtp_ssn->state == STATE_TLS_CLIENT_PEND)
- {
- OpportunisticTlsEvent event(p, p->flow->service);
- DataBus::publish(OPPORTUNISTIC_TLS_EVENT, event, p->flow);
- ++smtpstats.starttls;
- if (smtp_ssn->state_flags & SMTP_FLAG_ABANDON_EVT)
- ++smtpstats.ssl_search_abandoned_too_soon;
- }
-
break;
case RESP_250:
}
break;
}
+ //Count responses of client commands, reset starttls waiting flag if response to STARTTLS is not 220
+ if (smtp_ssn->pipelined_command_counter > 0 and --smtp_ssn->pipelined_command_counter == 0 and smtp_ssn->client_requested_starttls)
+ {
+ if (smtp_search_info.id != RESP_220)
+ {
+ smtp_ssn->client_requested_starttls = false;
+ smtp_ssn->server_accepted_starttls = false;
+ }
+ else
+ {
+ smtp_ssn->server_accepted_starttls = true;
+
+ OpportunisticTlsEvent event(p, p->flow->service);
+ DataBus::publish(OPPORTUNISTIC_TLS_EVENT, event, p->flow);
+ ++smtpstats.starttls;
+ if (smtp_ssn->state_flags & SMTP_FLAG_ABANDON_EVT)
+ ++smtpstats.ssl_search_abandoned_too_soon;
+ }
+ }
}
else
{
else
{
/* This packet should be a tls client hello */
- if (smtp_ssn->state == STATE_TLS_CLIENT_PEND)
+ if (smtp_ssn->server_accepted_starttls)
{
if (IsTlsClientHello(p->data, p->data + p->dsize))
{
smtp_ssn->state = STATE_TLS_SERVER_PEND;
}
- else
- {
- /* reset state - server may have rejected STARTTLS command */
- smtp_ssn->state = STATE_COMMAND;
- }
}
+
+ if(smtp_ssn->state == STATE_TLS_CLIENT_PEND)
+ smtp_ssn->state = STATE_COMMAND;
if ((smtp_ssn->state == STATE_TLS_DATA)
|| (smtp_ssn->state == STATE_TLS_SERVER_PEND))
projects / thirdparty / snort3.git / commitdiff
