Merge pull request #2378 in SNORT/snort3 from ~DERAMADA/snort3:imap_start_tls to...

Squashed commit of the following:

commit 95d294d06fb2a600f354dd2bd979d38bdf4bc590
Author: deramada <deramada@cisco.com>
Date:   Tue Aug 4 23:39:42 2020 -0400

    imap: publish OPPORTUNISTIC_TLS_EVENT on successfull completion on START_TLS,
    add a new state to avoid publishing start_tls events multiple times

diff --git a/src/service_inspectors/imap/imap.cc b/src/service_inspectors/imap/imap.cc
index baeebf33d45eecca7cfa655e1df8c6da78240cbc..cfac6277d15091177b2dda114d671862e5467dfc 100644 (file)
--- a/src/service_inspectors/imap/imap.cc
+++ b/src/service_inspectors/imap/imap.cc
@@ -29,6 +29,7 @@
 #include "profiler/profiler.h"
 #include "protocols/packet.h"
 #include "protocols/ssl.h"
+#include "pub_sub/opportunistic_tls_event.h"
 #include "search_engines/search_tool.h"
 #include "stream/stream.h"
 #include "utils/util_cstring.h"
@@ -128,6 +129,9 @@ const PegInfo imap_peg_names[] =
     { CountType::SUM, "sessions", "total imap sessions" },
     { CountType::NOW, "concurrent_sessions", "total concurrent imap sessions" },
     { CountType::MAX, "max_concurrent_sessions", "maximum concurrent imap sessions" },
+    { CountType::SUM, "start_tls", "total STARTTLS events generated" },
+    { CountType::SUM, "ssl_search_abandoned", "total SSL search abandoned" },
+    { CountType::SUM, "ssl_srch_abandoned_early", "total SSL search abandoned too soon" },
     { CountType::SUM, "b64_attachments", "total base64 attachments decoded" },
     { CountType::SUM, "b64_decoded_bytes", "total base64 decoded bytes" },
     { CountType::SUM, "qp_attachments", "total quoted-printable attachments decoded" },
@@ -478,6 +482,13 @@ static void IMAP_ProcessServerPacket(Packet* p, IMAPData* imap_ssn)
             {
             case RESP_FETCH:
                 imap_ssn->body_len = imap_ssn->body_read = 0;
+                if (!(imap_ssn->session_flags & IMAP_FLAG_ABANDON_EVT)
+                    and !p->flow->flags.data_decrypted)
+                {
+                    imap_ssn->session_flags |= IMAP_FLAG_ABANDON_EVT;
+                    DataBus::publish(SSL_SEARCH_ABANDONED, p);
+                    imapstats.ssl_search_abandoned++;
+                }
                 imap_ssn->state = STATE_DATA;
                 tmp = SnortStrcasestr((const char*)cmd_start, (eol - cmd_start), "BODY");
                 if (tmp != nullptr)
@@ -491,6 +502,20 @@ static void IMAP_ProcessServerPacket(Packet* p, IMAPData* imap_ssn)
                         imap_ssn->state = STATE_UNKNOWN;
                 }
                 break;
+            case RESP_OK:
+                if (imap_ssn->state == STATE_TLS_CLIENT_PEND)
+                {
+                    if ((imap_ssn->session_flags & IMAP_FLAG_ABANDON_EVT)
+                        and !p->flow->flags.data_decrypted)
+                    {
+                        imapstats.ssl_srch_abandoned_early++;
+                    }
+
+                    OpportunisticTlsEvent event(p, p->flow->service);
+                    DataBus::publish(OPPORTUNISTIC_TLS_EVENT, event, p->flow);
+                    imapstats.start_tls++;
+                    imap_ssn->state = STATE_DECRYPTION_REQ;
+                }
             default:
                 break;
             }
@@ -576,7 +601,8 @@ static void snort_imap(IMAP_PROTO_CONF* config, Packet* p)
     if (pkt_dir == IMAP_PKT_FROM_CLIENT)
     {
         /* This packet should be a tls client hello */
-        if (imap_ssn->state == STATE_TLS_CLIENT_PEND)
+        if ((imap_ssn->state == STATE_TLS_CLIENT_PEND)
+            || (imap_ssn->state == STATE_DECRYPTION_REQ))
         {
             if (IsTlsClientHello(p->data, p->data + p->dsize))
             {

diff --git a/src/service_inspectors/imap/imap.h b/src/service_inspectors/imap/imap.h
index 954f7ae115eead23fd229b4b994c39a027e50675..3de95a2565eb21688706ddee7b3e7b30f1e91be4 100644 (file)
--- a/src/service_inspectors/imap/imap.h
+++ b/src/service_inspectors/imap/imap.h
@@ -38,11 +38,13 @@
 #define STATE_TLS_DATA         3    // Successful handshake, TLS encrypted data
 #define STATE_COMMAND          4
 #define STATE_UNKNOWN          5
+#define STATE_DECRYPTION_REQ   6    
 
 // session flags
 #define IMAP_FLAG_NEXT_STATE_UNKNOWN         0x00000004
 #define IMAP_FLAG_GOT_NON_REBUILT            0x00000008
 #define IMAP_FLAG_CHECK_SSL                  0x00000010
+#define IMAP_FLAG_ABANDON_EVT                0x00000020
 
 typedef enum _IMAPCmdEnum
 {

diff --git a/src/service_inspectors/imap/imap_config.h b/src/service_inspectors/imap/imap_config.h
index ad6412a9b910ee2d24f786218a1913f865edbcb3..0cd7daa66d85fb745a28caa632cd4444b804aace 100644 (file)
--- a/src/service_inspectors/imap/imap_config.h
+++ b/src/service_inspectors/imap/imap_config.h
@@ -35,6 +35,9 @@ struct ImapStats
     PegCount sessions;
     PegCount concurrent_sessions;
     PegCount max_concurrent_sessions;
+    PegCount start_tls;
+    PegCount ssl_search_abandoned;
+    PegCount ssl_srch_abandoned_early; 
     snort::MimeStats mime_stats;
 };