From 388b8f92ec29e65a81cc577714bee73a5ae5a31d Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Thu, 15 May 2014 10:25:21 -0700 Subject: [PATCH] add starttls support for pop3 --- src/analyzer/protocol/pop3/POP3.cc | 38 +++++++++++++++--- src/analyzer/protocol/pop3/POP3.h | 6 ++- src/analyzer/protocol/pop3/events.bif | 9 +---- .../ssl.log | 10 +++++ .../x509.log | 10 +++++ testing/btest/Traces/tls/pop3-starttls.pcap | Bin 0 -> 5841 bytes .../scripts/base/protocols/pop3/starttls.bro | 20 +++++++++ 7 files changed, 78 insertions(+), 15 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.pop3.starttls/ssl.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.pop3.starttls/x509.log create mode 100644 testing/btest/Traces/tls/pop3-starttls.pcap create mode 100644 testing/btest/scripts/base/protocols/pop3/starttls.bro diff --git a/src/analyzer/protocol/pop3/POP3.cc b/src/analyzer/protocol/pop3/POP3.cc index 1b6b4c53b6..01b6f1ad67 100644 --- a/src/analyzer/protocol/pop3/POP3.cc +++ b/src/analyzer/protocol/pop3/POP3.cc @@ -13,6 +13,7 @@ #include "POP3.h" #include "Event.h" #include "Reporter.h" +#include "analyzer/Manager.h" #include "analyzer/protocol/login/NVT.h" #include "events.bif.h" @@ -41,15 +42,18 @@ POP3_Analyzer::POP3_Analyzer(Connection* conn) waitingForAuthentication = false; requestForMultiLine = false; multiLine = false; - backOff = false; + tls = false; lastRequiredCommand = 0; authLines = 0; mail = 0; - AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, true)); - AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, false)); + cl_orig = new tcp::ContentLine_Analyzer(conn, true); + AddSupportAnalyzer(cl_orig); + + cl_resp = new tcp::ContentLine_Analyzer(conn, false); + AddSupportAnalyzer(cl_resp); } POP3_Analyzer::~POP3_Analyzer() @@ -69,7 +73,13 @@ void POP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); - if ( (TCP() && TCP()->IsPartial()) || backOff ) + if ( tls ) + { + ForwardStream(len, data, orig); + return; + } + + if ( (TCP() && TCP()->IsPartial()) ) return; BroString terminated_string(data, len, 1); @@ -717,8 +727,8 @@ void POP3_Analyzer::ProcessReply(int length, const char* line) break; case STLS: - backOff = true; - POP3Event(pop3_terminate, false, "Terminating due to TLS"); + tls = true; + StartTLS(); return; case QUIT: @@ -804,6 +814,22 @@ void POP3_Analyzer::ProcessReply(int length, const char* line) } } +void POP3_Analyzer::StartTLS() + { + // STARTTLS was succesful. Remove support analyzers, add SSL + // analyzer and throw event signifying the change. + RemoveSupportAnalyzer(cl_orig); + RemoveSupportAnalyzer(cl_resp); + Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); + if ( ssl ) + AddChildAnalyzer(ssl); + + val_list* vl = new val_list; + vl->append(BuildConnVal()); + + ConnectionEvent(pop3_starttls, vl); + } + void POP3_Analyzer::AuthSuccessfull() { if ( user.size() ) diff --git a/src/analyzer/protocol/pop3/POP3.h b/src/analyzer/protocol/pop3/POP3.h index ab535420e5..12fcfc2e57 100644 --- a/src/analyzer/protocol/pop3/POP3.h +++ b/src/analyzer/protocol/pop3/POP3.h @@ -10,6 +10,7 @@ #include #include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/tcp/ContentLine.h" #include "analyzer/protocol/login/NVT.h" #include "analyzer/protocol/mime/MIME.h" @@ -97,6 +98,7 @@ protected: void BeginData(); void ProcessData(int length, const char* line); void EndData(); + void StartTLS(); vector TokenizeLine(const string input, const char split); int ParseCmd(string cmd); @@ -108,7 +110,9 @@ protected: list cmds; private: - bool backOff; + bool tls; + tcp::ContentLine_Analyzer* cl_orig; + tcp::ContentLine_Analyzer* cl_resp; }; } } // namespace analyzer::* diff --git a/src/analyzer/protocol/pop3/events.bif b/src/analyzer/protocol/pop3/events.bif index 7692c61f6b..970ae0186c 100644 --- a/src/analyzer/protocol/pop3/events.bif +++ b/src/analyzer/protocol/pop3/events.bif @@ -106,21 +106,14 @@ event pop3_unexpected%(c: connection, is_orig: bool, ## ## c: The connection. ## -## is_orig: Always false. -## -## msg: A descriptive message why processing was stopped. -## ## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request ## pop3_unexpected ## -## .. note:: Currently, only the ``STARTLS`` command is recognized and -## triggers this. -## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to ## register a port for it or add a DPD payload signature. -event pop3_terminate%(c: connection, is_orig: bool, msg: string%); +event pop3_starttls%(c: connection%); ## Generated for successful authentications on POP3 connections. ## diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/ssl.log b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/ssl.log new file mode 100644 index 0000000000..1eab1092ed --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/ssl.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2014-05-15-17-23-07 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer +#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string +1400173552.424910 CXWv6p3arKYeMETxOg 192.168.4.149 54775 192.168.4.149 110 TLSv12 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - - - - T FEdAw24VSam39HNlY5 (empty) emailAddress=postmaster@lilawelt.de,CN=chimaera.lilawelt.de,OU=Servers,O=Lilawelt,L=Munich,C=DE emailAddress=postmaster@lilawelt.de,CN=Lilawelt,OU=Lilawelt CA,O=Lilawelt,L=Munich,C=DE - - +#close 2014-05-15-17-23-07 diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/x509.log b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/x509.log new file mode 100644 index 0000000000..18194ddb9f --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/x509.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path x509 +#open 2014-05-15-17-23-07 +#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len +#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count +1400173552.426860 FEdAw24VSam39HNlY5 3 01 emailAddress=postmaster@lilawelt.de,CN=chimaera.lilawelt.de,OU=Servers,O=Lilawelt,L=Munich,C=DE emailAddress=postmaster@lilawelt.de,CN=Lilawelt,OU=Lilawelt CA,O=Lilawelt,L=Munich,C=DE 1178385788.000000 1493745788.000000 rsaEncryption md5WithRSAEncryption rsa 2048 65537 - - - - - F - +#close 2014-05-15-17-23-07 diff --git a/testing/btest/Traces/tls/pop3-starttls.pcap b/testing/btest/Traces/tls/pop3-starttls.pcap new file mode 100644 index 0000000000000000000000000000000000000000..cd1b2a8bdf5b95e55f8a9855ebd2217a09bdbf69 GIT binary patch literal 5841 zcmdUzc{r47AII-mZ4Jf@rYI9RBFi(wL}bZwqNwDc#ZlJmc{Nn1>}5$(T9mRREkcAA zCr@ZmA+(XwMmd%`giez8ei&us^}g?a?>pCZU)Ma(+|TF!{=UE8eP6$49#$4+-~kbg ze?~^ezJ2WD+H`Iu153)5CNb=(0{qBG+yyw7 zX!sOIAP{jlL1F#(=Xs&*5oH!?gV?&ck3b$bwq1!P9f{ z!2D@A429S6Gx+r^Sh<|(W1Bx&f`Ufa^ zvW0WQ_$B|a&{`0N-ZGVij1V#~fMH{U7rHJhbQ%r=a&q`XxB1P|W=xd^q)k@kn8HsR zONg}~Oo-IKN{AWc*h59w;Hk1{S~?8}CL|8!SA`|S*lm-i9}~)B`nhe|%=L8QdT#b( z`fc7iCf9Zfxoe&Im*JTxWtn8H1m!kQWnwMl=tG^@7?X=%bbaeI9EL)3!s+jFKVbDN zMZn*=cDsb zIx39HqjO>Do&?^&3oL^E?*Y3}HmZ)QpueDEC<&wieZT=xs01pA%Aztr3eZprN&v#B z2D$)MLKRRNDul|Rb3i6I0X6|6pb6L@6&!^Jh$+fK)lg+r5fw#=;5b+eG{7OS1PGv1 zQ~;fU;sFUBMv_1R2mv~v0zp6q1Tcb!k+6XXAQAu!OBiTDpeUe#neg5Wz<`s5p$zHK z=>qUUNeCf92n||*hX64k4q*x~{S?3ibI3R{o=hO&NO%%FrHFVUfq*062?RV2kH=%P zaX5&$0jK|ef3Th1HbqftNbwgFZx1QenLU$%MOiVSD6wMtfN^{x$sj}!jE=FQ6xkqFWmB!ZBXKAJZi4xx~RRAS6y1}Qik zkpz(NaFz%nL?+l0$uzvF8A}XKfENNZvQ?m;r;7)Riilx1glU47o<2@n-F&z#IwFDH z5}}EV-(s398J|d)Fi{av_`aGDPD;vu^A@hJ(-y859fnH@(eC`MN$;T4meZi$-^8RRNtUZn@5?w#&{r*q$lApnp+Z zO4ry^GoSr6J-0DT)yLKY)>dGDZ9zo7<(1BBZI-{ zEl|Hct3h6((lD_x+1!siM9SRPwWtvdNYmF~dz34mON;fLdn<6}pB=wGB`&22OC2EW z)Qa$1KUmeSAvv?~Pr-~PRK8=mB#H86^S!?_2J*@8rAe3Pm!D5e30GZ)I8Z$guG0u# zuD<$H>G1Ai{ooL!uP0k;*#2t>o&c*cD*`769g!I=tl2ao9svlIEVMDk92fK17#1Fp zfF~Pa#W8-1LX?uC|EMOn0IsLIr;8KU4Vev-Hd~Y^MWm}ZbgdLVmbfM-tiGbO#X0W5 zOdUleyafAQff$~Lgr5(ir(OMO`pE;e2#~CL*=!~+<;PMzoe{qKRCv_?LZwFtfg*X` zXcbhte_|2AeMpFar*}|>kU`EzrHThti-o@J*!jwz)aK}*FVge+iD+x$@}hjDHKsS3 z2C~iy?|tq&xcJ_66Wxv-+2;OlovCYAJO2K$Hg4$lUw3Si|9)wxxWsp%7R@m0@nRxH99fw??R=|@`&uA)H8452H7f9-J=?yLA{>dXsds|x~<%urq=T0l5T@`*gaL% zp#85-ic%kk{OZ)#6irn1nPGaey<|pRN!3~Fl`DjmHOl?1KQlM_g_@?9RU7I_>&Rz( zz8k1)b1@LznPGVBMuVTbvu5`m^3l9-w6Uz#`pG@F%5s0>4ypBX zl7-CWqK>a0_`U73{K9W5YLHdb9KE9DxBswLv1!)br?!2z;#Nl$o$8U=JXy^|9RjXv z-$Zk3ulK)N^emW-YLnf&$Gg3X1uVw=Wei}G%pej6S{NzoPWjTmg?4v zWtB+&sgTgL%Y>Egi|clNO)}E3vR>O`Bg=d>p!cP%Cf?&}e`sT!%c}y{Zp%GS3a&(u z=3T&Fd1MlmxmoeWbSKplh#u#qssEt}uHWT^!`> zxbxO0OXH5y+TGqFBMv2>$feyqI^IL;Vozr0ot#GvT`t#dG2h*~tKBAid|j-A2(!wx zwWDUvyi&*2s(P=o^(K{}O<0t(fUZ5`zG?jZ^tz@@(`V8}eT6rJjQ2&!cv;x*RjhBw z+7?}RCa_~w!SF`q7DGSTw3I@QPFO zg?3fQsf)|1Z=dS63l2`I_+Zf7?$+XXgbdHq+&9n7gJ|=H=cQ3)*5&tZ3!C#-{_9-9 z!C;onLbo>sed_FRYX09{pI)TjDeLRcGwQZSx-&Z3Yb9zUlE3PiI`$a*&*g0W>y^TJ zt5uKAT<*~ek*Qu#^#XCQTb`bqEvoS>ic4=X~F5eWp)Z?CV#j1n$2Q#FFcpVUhjXyE@wU`ZcbPn?&+Q ziQVo^v#fT>EaR+}7x&uUZ(xM?dQlqGKBvgGc-v#F8$c)k%*UEAywSgH%V5Vh_6`{j zTan4H1sc2gTamFo`@Tn}*3#ev*dx<$7z(!W z-0v+-FUG-w5D)>d#{>ZT9wQDw1PH5X9ZEiMX|b123tdh0m}+!M$jr^dPjB4q&t4o9 zJhCrMP%U)883Ht!x7vQ~k#BL$I%Em9)Q<@!xrzba-J2JYDZu!;_) zj5bVw^-!6;arUjAn!~e@)T5m%4k~LKHL44qQ9En&puOoI)(`cqmiSAS9cpw4jw^He z{S8p1`1dU_rqejvbEE27z&r- z6TVyAhjB1l&k+GQ4RF?BAl+C0i=P~KVE)nl0fNbF(G^Qv*7$jUdn~j3y0)&X(qL!W z$0}R3fu{sJ70>2brKv646W(`2%fH=Ety`_7W%o@w#=@f}&%{oWaW2P_)AuqjSt&VI zSub+O=~K=s=ihx3o)>VZSb8XX^@gG$Il3_=R=0*}yGFpGD$vLN!mgt)zmgMou1{N# z@f&?^M%$Gc;qG;w?sCoPR+2CG-pj8V}zR}8G=+)xPB-44dfx-_;LfXuP?}S?G zw`+Y%02H3permYs)|O}4(flixC4b@x~%t+R#JFP&gL zW?5e^#u`yQNz+wKSX*dkXsUEk!$Oq#{L+cfI1yn0vF5ZwFT!LO>T$t(X z-LTqslZg3_?*6OC9@}H<-G%E-)*Ttkzus8Mth22%Yr$UD3xDXw)+_SCILl&4AP8#4 z22Xc@h0Qb^2IRC()LrC*>0ZQhe}8xmE;9A*5)-Cf=c0i^wd_>Gx4H>Nd!_Gw45B$y ziT{%A>NM;}U$l}nYs7JRQ{|rhn2JMC#pG!89`LIe%R&o$mtS`PMq@HnG~OMQpRy2F zGYy9UIp4ETybp6_VixMcA}@-`zHPE|*87;gtB3QaRn5BLyrwmF0qSf_HwxFAtowv4 z|9ZSE9DrFcfV%U4=*HG7-iLAWyMER^t8E$%19JFu7w;R@&C5cv&DCeN&(tN$ZGy=e zHEh|DOJx7nwnG9sF?CVcdVO%c$+}rf_}An4Z2a7SQ+w=33ekL2g@ z>0v;BZjJAX;!%zy+!ajTZhr8`Z{Z0s=^2Z5^m`N95Be0f+bJ(AVh_R?&(esZ)^K*E~D1%eLDtOArr2v3wSUttFPwW5vv;PEV CitM2P literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/pop3/starttls.bro b/testing/btest/scripts/base/protocols/pop3/starttls.bro new file mode 100644 index 0000000000..381e4769e8 --- /dev/null +++ b/testing/btest/scripts/base/protocols/pop3/starttls.bro @@ -0,0 +1,20 @@ +# @TEST-EXEC: bro -C -b -r $TRACES/tls/pop3-starttls.pcap %INPUT +# @TEST-EXEC: btest-diff ssl.log +# @TEST-EXEC: btest-diff x509.log + +@load base/protocols/conn +@load base/protocols/ssl + +module POP3; + +const ports = { + 110/tcp +}; +redef likely_server_ports += { ports }; + +event bro_init() &priority=5 + { + Analyzer::register_for_ports(Analyzer::ANALYZER_POP3, ports); + } + +