From: Steve Chew (stechew) Date: Tue, 25 Aug 2020 22:21:26 +0000 (+0000) Subject: Merge pull request #2410 in SNORT/snort3 from ~DERAMADA/snort3:pop3_start_tls to... X-Git-Tag: 3.0.2-6~40 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aa5f27856355cbdb15b34e36442f52e7076d488a;p=thirdparty%2Fsnort3.git Merge pull request #2410 in SNORT/snort3 from ~DERAMADA/snort3:pop3_start_tls to master Squashed commit of the following: commit 144967eebc309fcc88eae236e868cb2ecab2baed Author: deramada Date: Wed Aug 19 09:40:10 2020 -0400 pop: publish start_tls events, support for ssl search abandoned --- diff --git a/src/service_inspectors/pop/pop.cc b/src/service_inspectors/pop/pop.cc index a68a43648..5b7764f87 100644 --- a/src/service_inspectors/pop/pop.cc +++ b/src/service_inspectors/pop/pop.cc @@ -29,6 +29,7 @@ #include "profiler/profiler.h" #include "protocols/packet.h" #include "protocols/ssl.h" +#include "pub_sub/opportunistic_tls_event.h" #include "search_engines/search_tool.h" #include "stream/stream.h" #include "utils/util_cstring.h" @@ -84,6 +85,9 @@ const PegInfo pop_peg_names[] = { CountType::SUM, "sessions", "total pop sessions" }, { CountType::NOW, "concurrent_sessions", "total concurrent pop sessions" }, { CountType::MAX, "max_concurrent_sessions", "maximum concurrent pop sessions" }, + { CountType::SUM, "start_tls", "total STARTTLS events generated" }, + { CountType::SUM, "ssl_search_abandoned", "total SSL search abandoned" }, + { CountType::SUM, "ssl_srch_abandoned_early", "total SSL search abandoned too soon" }, { CountType::SUM, "b64_attachments", "total base64 attachments decoded" }, { CountType::SUM, "b64_decoded_bytes", "total base64 decoded bytes" }, { CountType::SUM, "qp_attachments", "total quoted-printable attachments decoded" }, @@ -440,7 +444,30 @@ static void POP_ProcessServerPacket(Packet* p, POPData* pop_ssn) case RESP_OK: tmp = SnortStrcasestr((const char*)cmd_start, (eol - cmd_start), "octets"); if (tmp != nullptr) + { + if (!(pop_ssn->session_flags & POP_FLAG_ABANDON_EVT) + and !p->flow->flags.data_decrypted) + { + pop_ssn->session_flags |= POP_FLAG_ABANDON_EVT; + DataBus::publish(SSL_SEARCH_ABANDONED, p); + popstats.ssl_search_abandoned++; + } + pop_ssn->state = STATE_DATA; + } + else if (pop_ssn->state == STATE_TLS_CLIENT_PEND) + { + if ((pop_ssn->session_flags & POP_FLAG_ABANDON_EVT) + and !p->flow->flags.data_decrypted) + { + popstats.ssl_srch_abandoned_early++; + } + + OpportunisticTlsEvent event(p, p->flow->service); + DataBus::publish(OPPORTUNISTIC_TLS_EVENT, event, p->flow); + popstats.start_tls++; + pop_ssn->state = STATE_DECRYPTION_REQ; + } else { pop_ssn->prev_response = RESP_OK; @@ -517,7 +544,8 @@ static void snort_pop(POP_PROTO_CONF* config, Packet* p) if (pkt_dir == POP_PKT_FROM_CLIENT) { /* This packet should be a tls client hello */ - if (pop_ssn->state == STATE_TLS_CLIENT_PEND) + if ((pop_ssn->state == STATE_TLS_CLIENT_PEND) + || (pop_ssn->state == STATE_DECRYPTION_REQ)) { if (IsTlsClientHello(p->data, p->data + p->dsize)) { diff --git a/src/service_inspectors/pop/pop.h b/src/service_inspectors/pop/pop.h index 76d5259e0..a998e1347 100644 --- a/src/service_inspectors/pop/pop.h +++ b/src/service_inspectors/pop/pop.h @@ -38,11 +38,13 @@ #define STATE_TLS_DATA 3 // Successful handshake, TLS encrypted data #define STATE_COMMAND 4 #define STATE_UNKNOWN 5 +#define STATE_DECRYPTION_REQ 6 // session flags #define POP_FLAG_NEXT_STATE_UNKNOWN 0x00000004 #define POP_FLAG_GOT_NON_REBUILT 0x00000008 #define POP_FLAG_CHECK_SSL 0x00000010 +#define POP_FLAG_ABANDON_EVT 0x00000020 typedef enum _POPCmdEnum { diff --git a/src/service_inspectors/pop/pop_config.h b/src/service_inspectors/pop/pop_config.h index 332ff5930..16e7d3f81 100644 --- a/src/service_inspectors/pop/pop_config.h +++ b/src/service_inspectors/pop/pop_config.h @@ -36,6 +36,9 @@ struct PopStats PegCount sessions; PegCount concurrent_sessions; PegCount max_concurrent_sessions; + PegCount start_tls; + PegCount ssl_search_abandoned; + PegCount ssl_srch_abandoned_early; snort::MimeStats mime_stats; };