Merge pull request #2410 in SNORT/snort3 from ~DERAMADA/snort3:pop3_start_tls to...

author Steve Chew (stechew) <stechew@cisco.com>

Tue, 25 Aug 2020 22:21:26 +0000 (22:21 +0000)

committer Steve Chew (stechew) <stechew@cisco.com>

Tue, 25 Aug 2020 22:21:26 +0000 (22:21 +0000)
author Steve Chew (stechew) <stechew@cisco.com>
Tue, 25 Aug 2020 22:21:26 +0000 (22:21 +0000)
committer Steve Chew (stechew) <stechew@cisco.com>
Tue, 25 Aug 2020 22:21:26 +0000 (22:21 +0000)
diff --git a/src/service_inspectors/pop/pop.cc b/src/service_inspectors/pop/pop.cc

index a68a436481c8c74dfdedb5e69765250217c5da04..5b7764f87e054d2229b6bfe2d6f16327d2dcdd04 100644 (file)
--- a/src/service_inspectors/pop/pop.cc
+++ b/src/service_inspectors/pop/pop.cc
@@ -29,6 +29,7 @@
  #include "profiler/profiler.h"
  #include "protocols/packet.h"
  #include "protocols/ssl.h"
+#include "pub_sub/opportunistic_tls_event.h"
  #include "search_engines/search_tool.h"
  #include "stream/stream.h"
  #include "utils/util_cstring.h"
@@ -84,6 +85,9 @@ const PegInfo pop_peg_names[] =
      { CountType::SUM, "sessions", "total pop sessions" },
      { CountType::NOW, "concurrent_sessions", "total concurrent pop sessions" },
      { CountType::MAX, "max_concurrent_sessions", "maximum concurrent pop sessions" },
+    { CountType::SUM, "start_tls", "total STARTTLS events generated" },
+    { CountType::SUM, "ssl_search_abandoned", "total SSL search abandoned" },
+    { CountType::SUM, "ssl_srch_abandoned_early", "total SSL search abandoned too soon" },
      { CountType::SUM, "b64_attachments", "total base64 attachments decoded" },
      { CountType::SUM, "b64_decoded_bytes", "total base64 decoded bytes" },
      { CountType::SUM, "qp_attachments", "total quoted-printable attachments decoded" },
@@ -440,7 +444,30 @@ static void POP_ProcessServerPacket(Packet* p, POPData* pop_ssn)
              case RESP_OK:
                  tmp = SnortStrcasestr((const char*)cmd_start, (eol - cmd_start), "octets");
                  if (tmp != nullptr)
+                {
+                                       if (!(pop_ssn->session_flags & POP_FLAG_ABANDON_EVT)
+                       and !p->flow->flags.data_decrypted)
+                       {
+                       pop_ssn->session_flags |= POP_FLAG_ABANDON_EVT;
+                       DataBus::publish(SSL_SEARCH_ABANDONED, p);
+                       popstats.ssl_search_abandoned++;
+                               }
+
                      pop_ssn->state = STATE_DATA;
+                               }
+                else if (pop_ssn->state == STATE_TLS_CLIENT_PEND)
+                {
+                    if ((pop_ssn->session_flags & POP_FLAG_ABANDON_EVT)
+                        and !p->flow->flags.data_decrypted)
+                    {
+                        popstats.ssl_srch_abandoned_early++;
+                    }
+
+                    OpportunisticTlsEvent event(p, p->flow->service);
+                    DataBus::publish(OPPORTUNISTIC_TLS_EVENT, event, p->flow);
+                    popstats.start_tls++;
+                    pop_ssn->state = STATE_DECRYPTION_REQ; 
+                }
                  else
                  {
                      pop_ssn->prev_response = RESP_OK;
@@ -517,7 +544,8 @@ static void snort_pop(POP_PROTO_CONF* config, Packet* p)
      if (pkt_dir == POP_PKT_FROM_CLIENT)
      {
          /* This packet should be a tls client hello */
-        if (pop_ssn->state == STATE_TLS_CLIENT_PEND)
+        if ((pop_ssn->state == STATE_TLS_CLIENT_PEND) 
+                       || (pop_ssn->state == STATE_DECRYPTION_REQ))
          {
              if (IsTlsClientHello(p->data, p->data + p->dsize))
              {
diff --git a/src/service_inspectors/pop/pop.h b/src/service_inspectors/pop/pop.h

index 76d5259e093585c030b7fade659d9db1de6fb2ba..a998e134772d4b071a3f08d0eb4f061279dc5d15 100644 (file)
--- a/src/service_inspectors/pop/pop.h
+++ b/src/service_inspectors/pop/pop.h
@@ -38,11 +38,13 @@
  #define STATE_TLS_DATA         3    // Successful handshake, TLS encrypted data
  #define STATE_COMMAND          4
  #define STATE_UNKNOWN          5
+#define STATE_DECRYPTION_REQ   6   
  
  // session flags
  #define POP_FLAG_NEXT_STATE_UNKNOWN         0x00000004
  #define POP_FLAG_GOT_NON_REBUILT            0x00000008
  #define POP_FLAG_CHECK_SSL                  0x00000010
+#define POP_FLAG_ABANDON_EVT               0x00000020
  
  typedef enum _POPCmdEnum
  {
diff --git a/src/service_inspectors/pop/pop_config.h b/src/service_inspectors/pop/pop_config.h

index 332ff5930f2df4f536a010cf52298ec412293aa9..16e7d3f81baab3eae61f11630fada93a91b26332 100644 (file)
--- a/src/service_inspectors/pop/pop_config.h
+++ b/src/service_inspectors/pop/pop_config.h
@@ -36,6 +36,9 @@ struct PopStats
      PegCount sessions;
      PegCount concurrent_sessions;
      PegCount max_concurrent_sessions;
+    PegCount start_tls;
+    PegCount ssl_search_abandoned;
+    PegCount ssl_srch_abandoned_early; 
      snort::MimeStats mime_stats;
  };
author	Steve Chew (stechew) <stechew@cisco.com>
	Tue, 25 Aug 2020 22:21:26 +0000 (22:21 +0000)
committer	Steve Chew (stechew) <stechew@cisco.com>
	Tue, 25 Aug 2020 22:21:26 +0000 (22:21 +0000)
src/service_inspectors/pop/pop.cc		patch \| blob \| blame \| history
src/service_inspectors/pop/pop.h		patch \| blob \| blame \| history
src/service_inspectors/pop/pop_config.h		patch \| blob \| blame \| history