From: Steve Chew (stechew) <stechew@cisco.com>
Date: Tue, 14 Jul 2020 20:06:33 +0000 (+0000)
Subject: Merge pull request #2324 in SNORT/snort3 from ~SBAIGAL/snort3:smtp_abandon to master
X-Git-Tag: 3.0.2-2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ab575cdfb52715cc32520a14a826fcc58402aa9b;p=thirdparty%2Fsnort3.git

Merge pull request #2324 in SNORT/snort3 from ~SBAIGAL/snort3:smtp_abandon to master

Squashed commit of the following:

commit 9a6d342757678b9b98ebd106d13efdbe26fc1d90
Author: Steven Baigal (sbaigal) <sbaigal@cisco.com>
Date:   Thu Jul 9 16:02:57 2020 -0400

    smtp: generate SSL_SEARCH_ABANDONED event when no STARTTLS is detected
---

diff --git a/src/flow/flow.h b/src/flow/flow.h
index a2b31970c..9ba54d8b1 100644
--- a/src/flow/flow.h
+++ b/src/flow/flow.h
@@ -449,6 +449,7 @@ public:  // FIXIT-M privatize if possible
         bool trigger_detained_packet_event : 1;
         bool trigger_finalize_event : 1;
         bool use_direct_inject : 1;
+        bool data_decrypted : 1;    // indicate data in current flow is decrypted TLS application data
     } flags;
 
     FlowState flow_state;
diff --git a/src/framework/data_bus.h b/src/framework/data_bus.h
index 2e133674f..adf497a3c 100644
--- a/src/framework/data_bus.h
+++ b/src/framework/data_bus.h
@@ -136,6 +136,8 @@ private:
 #define FLOW_SERVICE_CHANGE_EVENT "flow.service_change_event"
 // A flow has found the service inspector
 #define SERVICE_INSPECTOR_CHANGE_EVENT "flow.service_inspector.changed"
+// search of SSL is abandoned on this flow
+#define SSL_SEARCH_ABANDONED "flow.ssl_search_abandoned"
 
 // A flow has entered the setup state
 #define FLOW_STATE_SETUP_EVENT "flow.state_setup"
diff --git a/src/service_inspectors/smtp/smtp.cc b/src/service_inspectors/smtp/smtp.cc
index c2311cdaa..f8ed70462 100644
--- a/src/service_inspectors/smtp/smtp.cc
+++ b/src/service_inspectors/smtp/smtp.cc
@@ -1104,6 +1104,13 @@ static void SMTP_ProcessServerPacket(
             case RESP_221:
             case RESP_334:
             case RESP_354:
+                if ((smtp_ssn->state == STATE_DATA or smtp_ssn->state == STATE_BDATA)
+                    and !p->flow->flags.data_decrypted
+                    and !(smtp_ssn->state_flags & SMTP_FLAG_ABANDON_EVT))
+                {
+                    smtp_ssn->state_flags |= SMTP_FLAG_ABANDON_EVT;
+                    DataBus::publish(SSL_SEARCH_ABANDONED, p);
+                }
                 break;
 
             case RESP_235:
diff --git a/src/service_inspectors/smtp/smtp.h b/src/service_inspectors/smtp/smtp.h
index e9a9a3439..1646a1638 100644
--- a/src/service_inspectors/smtp/smtp.h
+++ b/src/service_inspectors/smtp/smtp.h
@@ -66,6 +66,7 @@
 #define SMTP_FLAG_GOT_RCPT_CMD               0x00000002
 #define SMTP_FLAG_BDAT                       0x00001000
 #define SMTP_FLAG_ABORT                      0x00002000
+#define SMTP_FLAG_ABANDON_EVT                0x00010000
 
 // session flags
 #define SMTP_FLAG_XLINK2STATE_GOTFIRSTCHUNK  0x00000001