Squashed commit of the following:
commit
9a6d342757678b9b98ebd106d13efdbe26fc1d90
Author: Steven Baigal (sbaigal) <sbaigal@cisco.com>
Date: Thu Jul 9 16:02:57 2020 -0400
smtp: generate SSL_SEARCH_ABANDONED event when no STARTTLS is detected
bool trigger_detained_packet_event : 1;
bool trigger_finalize_event : 1;
bool use_direct_inject : 1;
+ bool data_decrypted : 1; // indicate data in current flow is decrypted TLS application data
} flags;
FlowState flow_state;
#define FLOW_SERVICE_CHANGE_EVENT "flow.service_change_event"
// A flow has found the service inspector
#define SERVICE_INSPECTOR_CHANGE_EVENT "flow.service_inspector.changed"
+// search of SSL is abandoned on this flow
+#define SSL_SEARCH_ABANDONED "flow.ssl_search_abandoned"
// A flow has entered the setup state
#define FLOW_STATE_SETUP_EVENT "flow.state_setup"
case RESP_221:
case RESP_334:
case RESP_354:
+ if ((smtp_ssn->state == STATE_DATA or smtp_ssn->state == STATE_BDATA)
+ and !p->flow->flags.data_decrypted
+ and !(smtp_ssn->state_flags & SMTP_FLAG_ABANDON_EVT))
+ {
+ smtp_ssn->state_flags |= SMTP_FLAG_ABANDON_EVT;
+ DataBus::publish(SSL_SEARCH_ABANDONED, p);
+ }
break;
case RESP_235:
#define SMTP_FLAG_GOT_RCPT_CMD 0x00000002
#define SMTP_FLAG_BDAT 0x00001000
#define SMTP_FLAG_ABORT 0x00002000
+#define SMTP_FLAG_ABANDON_EVT 0x00010000
// session flags
#define SMTP_FLAG_XLINK2STATE_GOTFIRSTCHUNK 0x00000001
projects / thirdparty / snort3.git / commitdiff
