From: Oleksandr Stepanov -X (ostepano - SOFTSERVE INC at Cisco) <ostepano@cisco.com>
Date: Wed, 19 Jul 2023 12:58:50 +0000 (+0000)
Subject: Pull request #3882: appid: Do not raise SMTP response overflow IPS alert on SSL traffic
X-Git-Tag: 3.1.67.0~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6ed1df7451e597605268da7b6a2613390e8ab890;p=thirdparty%2Fsnort3.git

Pull request #3882: appid: Do not raise SMTP response overflow IPS alert on SSL traffic

Merge in SNORT/snort3 from ~OSTEPANO/snort3:smtp_ssl_ips to master

Squashed commit of the following:

commit 355163900881bd437c95f0b3524b79ecb39ebac4
Author: Oleksandr Stepanov <ostepano@cisco.com>
Date:   Fri Jun 16 09:21:44 2023 -0400

    appid: Do not raise SMTP response overflow IPS alert on SSL traffic
---

diff --git a/src/service_inspectors/smtp/smtp.cc b/src/service_inspectors/smtp/smtp.cc
index 1041162dc..d548f7ea7 100644
--- a/src/service_inspectors/smtp/smtp.cc
+++ b/src/service_inspectors/smtp/smtp.cc
@@ -867,7 +867,6 @@ static const uint8_t* SMTP_HandleCommand(SmtpProtoConf* config, Packet* p, SMTPD
          * last line in the packet as you can't pipeline the tls hello */
         if (eol == end)
         {
-            smtp_ssn->state = STATE_TLS_CLIENT_PEND;
             smtp_ssn->client_requested_starttls = true;
         }
 
@@ -1104,6 +1103,7 @@ static void SMTP_ProcessServerPacket(
             smtp_ssn->state = STATE_TLS_DATA;
             //TLS server hello received, reset flag
             smtp_ssn->server_accepted_starttls = false;
+            smtp_ssn->client_requested_starttls = false;
         }
         else if ( !p->test_session_flags(SSNFLAG_MIDSTREAM)
             && !Stream::missed_packets(p->flow, SSN_DIR_BOTH))
@@ -1112,9 +1112,18 @@ static void SMTP_ProcessServerPacket(
         }
     }
 
-    if (smtp_ssn->state == STATE_TLS_DATA)
+    if (smtp_ssn->state == STATE_TLS_CLIENT_PEND)
     {
-        smtp_ssn->state = STATE_COMMAND;
+        if (p->flow->flags.data_decrypted)
+        {
+            smtp_ssn->state = STATE_COMMAND;
+            smtp_ssn->server_accepted_starttls = false;
+            smtp_ssn->client_requested_starttls = false;
+        }
+        else
+        {
+            smtp_ssn->state = STATE_TLS_DATA;
+        }
     }
 
     while (ptr < end)
@@ -1162,7 +1171,7 @@ static void SMTP_ProcessServerPacket(
                 break;
 
             default:
-                if (smtp_ssn->state != STATE_COMMAND)
+                if (smtp_ssn->state != STATE_COMMAND and smtp_ssn->state != STATE_TLS_DATA)
                 {
                     *next_state = STATE_COMMAND;
                 }
@@ -1179,6 +1188,7 @@ static void SMTP_ProcessServerPacket(
                 else
                 {
                     smtp_ssn->server_accepted_starttls = true;
+                    smtp_ssn->state = STATE_TLS_CLIENT_PEND;
 
                     OpportunisticTlsEvent event(p, p->flow->service);
                     DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::OPPORTUNISTIC_TLS, event, p->flow);
@@ -1203,7 +1213,8 @@ static void SMTP_ProcessServerPacket(
         }
 
         if ((config->max_response_line_len != 0) &&
-            (resp_line_len > config->max_response_line_len))
+            (resp_line_len > config->max_response_line_len) &&
+            (smtp_ssn->state != STATE_TLS_DATA))
         {
             DetectionEngine::queue_event(GID_SMTP, SMTP_RESPONSE_OVERFLOW);
         }