diff --git a/src/analyzer/protocol/pop3/POP3.cc b/src/analyzer/protocol/pop3/POP3.cc index 1b6b4c53b6..01b6f1ad67 100644 --- a/src/analyzer/protocol/pop3/POP3.cc +++ b/src/analyzer/protocol/pop3/POP3.cc @@ -13,6 +13,7 @@ #include "POP3.h" #include "Event.h" #include "Reporter.h" +#include "analyzer/Manager.h" #include "analyzer/protocol/login/NVT.h" #include "events.bif.h" @@ -41,15 +42,18 @@ POP3_Analyzer::POP3_Analyzer(Connection* conn) waitingForAuthentication = false; requestForMultiLine = false; multiLine = false; - backOff = false; + tls = false; lastRequiredCommand = 0; authLines = 0; mail = 0; - AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, true)); - AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, false)); + cl_orig = new tcp::ContentLine_Analyzer(conn, true); + AddSupportAnalyzer(cl_orig); + + cl_resp = new tcp::ContentLine_Analyzer(conn, false); + AddSupportAnalyzer(cl_resp); } POP3_Analyzer::~POP3_Analyzer() @@ -69,7 +73,13 @@ void POP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); - if ( (TCP() && TCP()->IsPartial()) || backOff ) + if ( tls ) + { + ForwardStream(len, data, orig); + return; + } + + if ( (TCP() && TCP()->IsPartial()) ) return; BroString terminated_string(data, len, 1); @@ -717,8 +727,8 @@ void POP3_Analyzer::ProcessReply(int length, const char* line) break; case STLS: - backOff = true; - POP3Event(pop3_terminate, false, "Terminating due to TLS"); + tls = true; + StartTLS(); return; case QUIT: @@ -804,6 +814,22 @@ void POP3_Analyzer::ProcessReply(int length, const char* line) } } +void POP3_Analyzer::StartTLS() + { + // STARTTLS was succesful. Remove support analyzers, add SSL + // analyzer and throw event signifying the change. + RemoveSupportAnalyzer(cl_orig); + RemoveSupportAnalyzer(cl_resp); + Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); + if ( ssl ) + AddChildAnalyzer(ssl); + + val_list* vl = new val_list; + vl->append(BuildConnVal()); + + ConnectionEvent(pop3_starttls, vl); + } + void POP3_Analyzer::AuthSuccessfull() { if ( user.size() ) diff --git a/src/analyzer/protocol/pop3/POP3.h b/src/analyzer/protocol/pop3/POP3.h index ab535420e5..12fcfc2e57 100644 --- a/src/analyzer/protocol/pop3/POP3.h +++ b/src/analyzer/protocol/pop3/POP3.h @@ -10,6 +10,7 @@ #include #include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/tcp/ContentLine.h" #include "analyzer/protocol/login/NVT.h" #include "analyzer/protocol/mime/MIME.h" @@ -97,6 +98,7 @@ protected: void BeginData(); void ProcessData(int length, const char* line); void EndData(); + void StartTLS(); vector TokenizeLine(const string input, const char split); int ParseCmd(string cmd); @@ -108,7 +110,9 @@ protected: list cmds; private: - bool backOff; + bool tls; + tcp::ContentLine_Analyzer* cl_orig; + tcp::ContentLine_Analyzer* cl_resp; }; } } // namespace analyzer::* diff --git a/src/analyzer/protocol/pop3/events.bif b/src/analyzer/protocol/pop3/events.bif index 7692c61f6b..970ae0186c 100644 --- a/src/analyzer/protocol/pop3/events.bif +++ b/src/analyzer/protocol/pop3/events.bif @@ -106,21 +106,14 @@ event pop3_unexpected%(c: connection, is_orig: bool, ## ## c: The connection. ## -## is_orig: Always false. -## -## msg: A descriptive message why processing was stopped. -## ## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request ## pop3_unexpected ## -## .. note:: Currently, only the ``STARTLS`` command is recognized and -## triggers this. -## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to ## register a port for it or add a DPD payload signature. -event pop3_terminate%(c: connection, is_orig: bool, msg: string%); +event pop3_starttls%(c: connection%); ## Generated for successful authentications on POP3 connections. ## diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/ssl.log b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/ssl.log new file mode 100644 index 0000000000..1eab1092ed --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/ssl.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2014-05-15-17-23-07 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer +#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string +1400173552.424910 CXWv6p3arKYeMETxOg 192.168.4.149 54775 192.168.4.149 110 TLSv12 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - - - - T FEdAw24VSam39HNlY5 (empty) emailAddress=postmaster@lilawelt.de,CN=chimaera.lilawelt.de,OU=Servers,O=Lilawelt,L=Munich,C=DE emailAddress=postmaster@lilawelt.de,CN=Lilawelt,OU=Lilawelt CA,O=Lilawelt,L=Munich,C=DE - - +#close 2014-05-15-17-23-07 diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/x509.log b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/x509.log new file mode 100644 index 0000000000..18194ddb9f --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/x509.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path x509 +#open 2014-05-15-17-23-07 +#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len +#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count +1400173552.426860 FEdAw24VSam39HNlY5 3 01 emailAddress=postmaster@lilawelt.de,CN=chimaera.lilawelt.de,OU=Servers,O=Lilawelt,L=Munich,C=DE emailAddress=postmaster@lilawelt.de,CN=Lilawelt,OU=Lilawelt CA,O=Lilawelt,L=Munich,C=DE 1178385788.000000 1493745788.000000 rsaEncryption md5WithRSAEncryption rsa 2048 65537 - - - - - F - +#close 2014-05-15-17-23-07 diff --git a/testing/btest/Traces/tls/pop3-starttls.pcap b/testing/btest/Traces/tls/pop3-starttls.pcap new file mode 100644 index 0000000000..cd1b2a8bdf Binary files /dev/null and b/testing/btest/Traces/tls/pop3-starttls.pcap differ diff --git a/testing/btest/scripts/base/protocols/pop3/starttls.bro b/testing/btest/scripts/base/protocols/pop3/starttls.bro new file mode 100644 index 0000000000..381e4769e8 --- /dev/null +++ b/testing/btest/scripts/base/protocols/pop3/starttls.bro @@ -0,0 +1,20 @@ +# @TEST-EXEC: bro -C -b -r $TRACES/tls/pop3-starttls.pcap %INPUT +# @TEST-EXEC: btest-diff ssl.log +# @TEST-EXEC: btest-diff x509.log + +@load base/protocols/conn +@load base/protocols/ssl + +module POP3; + +const ports = { + 110/tcp +}; +redef likely_server_ports += { ports }; + +event bro_init() &priority=5 + { + Analyzer::register_for_ports(Analyzer::ANALYZER_POP3, ports); + } + +