#define APPID_SESSION_OPPORTUNISTIC_TLS (1ULL << 44)
#define APPID_SESSION_FIRST_PKT_CACHE_MATCHED (1ULL << 45)
#define APPID_SESSION_DO_NOT_DECRYPT (1ULL << 46)
-#define APPID_SESSION_WAIT_FOR_EXTERNAL (1ULL << 47)
+#define APPID_SESSION_WAIT_FOR_EXTERNAL (1ULL << 47)
#define APPID_SESSION_IGNORE_ID_FLAGS \
(APPID_SESSION_FUTURE_FLOW | \
APPID_SESSION_NOT_A_SERVICE | \
APPID_SESSION_NO_TPI | \
APPID_SESSION_SERVICE_DETECTED | \
APPID_SESSION_PORT_SERVICE_DONE)
-const uint64_t APPID_SESSION_ALL_FLAGS = 0xFFFFFFFFFFFFFFFFULL;
+
+#define APPID_SESSION_ALL_FLAGS 0xFFFFFFFFFFFFFFFFULL
class SO_PUBLIC AppIdSessionApi : public StashGenericObject
{
static const unsigned IMAP_TAG_MAX_LEN = 6;
static const unsigned MIN_CMDS = 3;
+#define SSL_WAIT_PACKETS 8
+
static const char NO_LOGIN[] = " Login failed.";
static const uint8_t CAPA[] = "CAPABILITY\x00d\x00a";
int detected;
int got_user;
int auth;
+ int decryption_countdown;
char username[IMAP_USER_NAME_MAX_LEN+1];
char imapCmdTag[IMAP_TAG_MAX_LEN+1];
};
if (dd->client.state == IMAP_CLIENT_STATE_STARTTLS_CMD)
{
if (id->flags & IMAP_FLAG_RESULT_OK)
- {
- // FIXIT-L - this may be called from server side
- detector->add_app(asd, APP_ID_IMAPS, APP_ID_IMAPS, nullptr, change_bits);
asd.clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
- }
else
dd->client.state = IMAP_CLIENT_STATE_NON_AUTH;
}
ImapDetectorData* dd = get_common_data(args.asd);
ImapClientData* fd = &dd->client;
+ // encrypted session without decryption - use countdown fallback (matches SMTP)
+ if (args.asd.get_session_flags(APPID_SESSION_ENCRYPTED | APPID_SESSION_DECRYPTED) == APPID_SESSION_ENCRYPTED)
+ {
+ if (fd->decryption_countdown > 0)
+ {
+ fd->decryption_countdown--;
+ if (!fd->decryption_countdown)
+ {
+ add_app(args.asd, APP_ID_IMAPS, APP_ID_IMAPS, nullptr, args.change_bits);
+ dd->need_continue = 0;
+ args.asd.clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+ return APPID_SUCCESS;
+ }
+ }
+ return APPID_INPROCESS;
+ }
+
if (args.dir == APP_ID_FROM_RESPONDER)
{
if (imap_server_validate(dd, args.data, args.size, args.asd, args.change_bits, this))
{
if ((id->flags & IMAP_FLAG_RESULT_OK) &&
dd->client.state == IMAP_CLIENT_STATE_STARTTLS_CMD)
+ {
+ if (args.asd.get_session_flags(APPID_SESSION_OPPORTUNISTIC_TLS))
+ dd->client.decryption_countdown = SSL_WAIT_PACKETS;
+ else
+ dd->client.decryption_countdown = 1;
+
+ args.asd.set_session_flags(APPID_SESSION_ENCRYPTED);
+
return add_service(args.change_bits, args.asd, args.pkt, args.dir, APP_ID_IMAPS);
+ }
if (id->count >= IMAP_COUNT_THRESHOLD && !args.asd.is_service_detected())
return add_service(args.change_bits, args.asd, args.pkt, args.dir, APP_ID_IMAP);
fp->set_payload_id(asd.get_payload_id());
fp->set_service_id(APP_ID_RTP, odp_ctxt);
- // FIXIT-M : snort 2.9.x updated the flag to APPID_SESSION_EXPECTED_EVALUATE.
- // Check if it is needed here as well.
- // asd.initialize_future_session(*fp, APPID_SESSION_EXPECTED_EVALUATE);
-
asd.initialize_future_session(*fp, APPID_SESSION_IGNORE_ID_FLAGS);
}
fp2->set_payload_id(asd.get_payload_id());
fp2->set_service_id(APP_ID_RTCP, odp_ctxt);
- // FIXIT-M : same comment as above
- // asd.initialize_future_session(*fp2, APPID_SESSION_EXPECTED_EVALUATE);
-
asd.initialize_future_session(*fp2, APPID_SESSION_IGNORE_ID_FLAGS);
}
}
* prefix_len - The number of characters that are the prefix to the version,
* including the NUL terminating character.
*/
-// FIXIT-M - refactor this to reduce the number of function parameters
int SmtpClientDetector::extract_version_and_add_client_app(
AppId clientId, const int prefix_len, const uint8_t* product, const uint8_t* product_end,
ClientSMTPData* const client_data, AppIdSession& asd, AppId appId,
projects / thirdparty / snort3.git / commitdiff
