From 4a5737708c7423a0d4cefe37d196864519efb32e Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Wed, 22 Jul 2015 10:35:49 -0700
Subject: [PATCH] Basic IMAP StartTLS analyzer.

Parses certificates out of imap connections using StartTLS. Aborts
processing if StartTLS is not found.
---
 scripts/base/init-default.bro                 |   1 +
 scripts/base/protocols/imap/README            |   5 +
 scripts/base/protocols/imap/__load__.bro      |   2 +
 scripts/base/protocols/imap/main.bro          |  11 +++
 src/analyzer/protocol/CMakeLists.txt          |   1 +
 src/analyzer/protocol/imap/CMakeLists.txt     |  11 +++
 src/analyzer/protocol/imap/IMAP.cc            |  86 ++++++++++++++++++
 src/analyzer/protocol/imap/IMAP.h             |  38 ++++++++
 src/analyzer/protocol/imap/Plugin.cc          |  26 ++++++
 src/analyzer/protocol/imap/imap-analyzer.pac  |  57 ++++++++++++
 src/analyzer/protocol/imap/imap-protocol.pac  |  17 ++++
 src/analyzer/protocol/imap/imap.pac           |  35 +++++++
 .../conn.log                                  |  10 ++
 .../ssl.log                                   |  10 ++
 .../x509.log                                  |  12 +++
 testing/btest/Traces/tls/imap-starttls.pcap   | Bin 0 -> 8511 bytes
 .../scripts/base/protocols/imap/starttls.test |   9 ++
 17 files changed, 331 insertions(+)
 create mode 100644 scripts/base/protocols/imap/README
 create mode 100644 scripts/base/protocols/imap/__load__.bro
 create mode 100644 scripts/base/protocols/imap/main.bro
 create mode 100644 src/analyzer/protocol/imap/CMakeLists.txt
 create mode 100644 src/analyzer/protocol/imap/IMAP.cc
 create mode 100644 src/analyzer/protocol/imap/IMAP.h
 create mode 100644 src/analyzer/protocol/imap/Plugin.cc
 create mode 100644 src/analyzer/protocol/imap/imap-analyzer.pac
 create mode 100644 src/analyzer/protocol/imap/imap-protocol.pac
 create mode 100644 src/analyzer/protocol/imap/imap.pac
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.imap.starttls/ssl.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.imap.starttls/x509.log
 create mode 100644 testing/btest/Traces/tls/imap-starttls.pcap
 create mode 100644 testing/btest/scripts/base/protocols/imap/starttls.test

diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index 473d94fc84..58d2b4b2b9 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -44,6 +44,7 @@
 @load base/protocols/dns
 @load base/protocols/ftp
 @load base/protocols/http
+@load base/protocols/imap
 @load base/protocols/irc
 @load base/protocols/krb
 @load base/protocols/modbus
diff --git a/scripts/base/protocols/imap/README b/scripts/base/protocols/imap/README
new file mode 100644
index 0000000000..ba96748489
--- /dev/null
+++ b/scripts/base/protocols/imap/README
@@ -0,0 +1,5 @@
+Support for the Internet Message Access Protocol (IMAP).
+
+Note that currently the IMAP analyzer only supports analyzing IMAP sessions
+until they do or do not switch to TLS using StartTLS. Hence, we do not get
+mails from IMAP sessions, only X509 certificates.
diff --git a/scripts/base/protocols/imap/__load__.bro b/scripts/base/protocols/imap/__load__.bro
new file mode 100644
index 0000000000..aa3a41ef5e
--- /dev/null
+++ b/scripts/base/protocols/imap/__load__.bro
@@ -0,0 +1,2 @@
+@load ./main
+
diff --git a/scripts/base/protocols/imap/main.bro b/scripts/base/protocols/imap/main.bro
new file mode 100644
index 0000000000..9f0305c80c
--- /dev/null
+++ b/scripts/base/protocols/imap/main.bro
@@ -0,0 +1,11 @@
+
+module IMAP;
+
+const ports = { 143/tcp };
+redef likely_server_ports += { ports };
+
+event bro_init() &priority=5
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, ports);
+	}
+
diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt
index 467fce83ee..9e824d42d2 100644
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@@ -16,6 +16,7 @@ add_subdirectory(gtpv1)
 add_subdirectory(http)
 add_subdirectory(icmp)
 add_subdirectory(ident)
+add_subdirectory(imap)
 add_subdirectory(interconn)
 add_subdirectory(irc)
 add_subdirectory(krb)
diff --git a/src/analyzer/protocol/imap/CMakeLists.txt b/src/analyzer/protocol/imap/CMakeLists.txt
new file mode 100644
index 0000000000..755221b25a
--- /dev/null
+++ b/src/analyzer/protocol/imap/CMakeLists.txt
@@ -0,0 +1,11 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro IMAP)
+bro_plugin_cc(Plugin.cc)
+bro_plugin_cc(IMAP.cc)
+bro_plugin_pac(imap.pac imap-analyzer.pac imap-protocol.pac)
+bro_plugin_end()
+
diff --git a/src/analyzer/protocol/imap/IMAP.cc b/src/analyzer/protocol/imap/IMAP.cc
new file mode 100644
index 0000000000..ad38d598ac
--- /dev/null
+++ b/src/analyzer/protocol/imap/IMAP.cc
@@ -0,0 +1,86 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "IMAP.h"
+#include "analyzer/protocol/tcp/TCP_Reassembler.h"
+#include "analyzer/Manager.h"
+
+using namespace analyzer::imap;
+
+IMAP_Analyzer::IMAP_Analyzer(Connection* conn)
+	: tcp::TCP_ApplicationAnalyzer("IMAP", conn)
+	{
+	interp = new binpac::IMAP::IMAP_Conn(this);
+	had_gap = false;
+	tls_active = false;
+	}
+
+IMAP_Analyzer::~IMAP_Analyzer()
+	{
+	delete interp;
+	}
+
+void IMAP_Analyzer::Done()
+	{
+	tcp::TCP_ApplicationAnalyzer::Done();
+
+	interp->FlowEOF(true);
+	interp->FlowEOF(false);
+	}
+
+void IMAP_Analyzer::EndpointEOF(bool is_orig)
+	{
+	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	interp->FlowEOF(is_orig);
+	}
+
+void IMAP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+
+	if ( tls_active )
+		{
+		// If TLS has been initiated, forward to child and abort further
+		// processing
+		ForwardStream(len, data, orig);
+		return;
+		}
+
+	assert(TCP());
+	if ( TCP()->IsPartial() )
+		return;
+
+	if ( had_gap )
+		// If only one side had a content gap, we could still try to
+		// deliver data to the other side if the script layer can
+		// handle this.
+		return;
+
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		}
+	}
+
+void IMAP_Analyzer::Undelivered(uint64 seq, int len, bool orig)
+	{
+	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	had_gap = true;
+	interp->NewGap(orig, len);
+	}
+
+void IMAP_Analyzer::StartTLS()
+	{
+	// StartTLS was called. This means we saw a client starttls followed
+	// by a server proceed. From here on, everything should be a binary
+	// TLS datastream.
+
+	tls_active = true;
+
+	Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
+	if ( ssl )
+		AddChildAnalyzer(ssl);
+	}
diff --git a/src/analyzer/protocol/imap/IMAP.h b/src/analyzer/protocol/imap/IMAP.h
new file mode 100644
index 0000000000..a1f59e5010
--- /dev/null
+++ b/src/analyzer/protocol/imap/IMAP.h
@@ -0,0 +1,38 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef ANALYZER_PROTOCOL_IMAP_IMAP_H
+#define ANALYZER_PROTOCOL_IMAP_IMAP_H
+
+#include "analyzer/protocol/tcp/TCP.h"
+
+#include "imap_pac.h"
+
+namespace analyzer { namespace imap {
+
+class IMAP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
+public:
+	IMAP_Analyzer(Connection* conn);
+	virtual ~IMAP_Analyzer();
+
+	virtual void Done();
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
+
+	// Overriden from tcp::TCP_ApplicationAnalyzer.
+	virtual void EndpointEOF(bool is_orig);
+
+	void StartTLS();
+
+	static analyzer::Analyzer* Instantiate(Connection* conn)
+		{ return new IMAP_Analyzer(conn); }
+
+protected:
+	binpac::IMAP::IMAP_Conn* interp;
+	bool had_gap;
+
+	bool tls_active;
+};
+
+} } // namespace analyzer::*
+
+#endif /* ANALYZER_PROTOCOL_IMAP_IMAP_H */
diff --git a/src/analyzer/protocol/imap/Plugin.cc b/src/analyzer/protocol/imap/Plugin.cc
new file mode 100644
index 0000000000..8660879bc3
--- /dev/null
+++ b/src/analyzer/protocol/imap/Plugin.cc
@@ -0,0 +1,26 @@
+// See the file  in the main distribution directory for copyright.
+
+
+#include "plugin/Plugin.h"
+
+#include "IMAP.h"
+
+namespace plugin {
+namespace Bro_IMAP {
+
+class Plugin : public plugin::Plugin {
+public:
+	plugin::Configuration Configure()
+		{
+		AddComponent(new ::analyzer::Component("IMAP", ::analyzer::imap::IMAP_Analyzer::Instantiate));
+
+
+		plugin::Configuration config;
+		config.name = "Bro::IMAP";
+		config.description = "IMAP analyzer StartTLS only";
+		return config;
+		}
+} plugin;
+
+}
+}
diff --git a/src/analyzer/protocol/imap/imap-analyzer.pac b/src/analyzer/protocol/imap/imap-analyzer.pac
new file mode 100644
index 0000000000..918d339cfe
--- /dev/null
+++ b/src/analyzer/protocol/imap/imap-analyzer.pac
@@ -0,0 +1,57 @@
+refine connection IMAP_Conn += {
+
+	%member{
+	string client_starttls_id;
+	%}
+
+	%init{
+	%}
+
+	function proc_imap_token(is_orig: bool, tag: bytestring, command: bytestring): bool
+		%{
+		string commands = std_str(command);
+		std::transform(commands.begin(), commands.end(), commands.begin(), ::tolower);
+
+		string tags = std_str(tag);
+
+		//printf("imap %s %s\n", commands.c_str(), tags.c_str());
+
+		if ( !is_orig && tags == "*" && commands == "ok" )
+			bro_analyzer()->ProtocolConfirmation();
+
+		if ( is_orig && ( command == "capability" || commands == "starttls" ) )
+			bro_analyzer()->ProtocolConfirmation();
+
+		if ( command == "authenticate" || command == "login" || command == "examine" || command == "create" || command == "list" || command == "fetch" )
+			{
+			bro_analyzer()->ProtocolConfirmation();
+			// Handshake has passed the phase where we should see StartTLS. Simply skip from hereon...
+			bro_analyzer()->SetSkip(true);
+			return true;
+			}
+
+		if ( is_orig && commands == "starttls" )
+			{
+			if ( !client_starttls_id.empty() )
+				reporter->Weird(bro_analyzer()->Conn(), "IMAP: client sent duplicate StartTLS");
+
+			client_starttls_id = tags;
+			}
+
+		if ( !is_orig && !client_starttls_id.empty() && tags == client_starttls_id )
+			{
+			if ( commands == "ok" )
+				bro_analyzer()->StartTLS();
+			else
+				reporter->Weird(bro_analyzer()->Conn(), "IMAP: server refused StartTLS");
+			}
+
+		return true;
+		%}
+
+};
+
+refine typeattr IMAP_TOKEN += &let {
+       proc: bool = $context.connection.proc_imap_token(is_orig, tag, command);
+};
+
diff --git a/src/analyzer/protocol/imap/imap-protocol.pac b/src/analyzer/protocol/imap/imap-protocol.pac
new file mode 100644
index 0000000000..15bb753475
--- /dev/null
+++ b/src/analyzer/protocol/imap/imap-protocol.pac
@@ -0,0 +1,17 @@
+type TAG = RE/[[:alnum:][:punct:]]+/;
+type CONTENT = RE/[^\r\n]*/;
+type SPACING = RE/[ ]+/;
+type OPTIONALSPACING = RE/[ ]*/;
+type NEWLINE = RE/[\r\n]+/;
+
+type IMAP_PDU(is_orig: bool) = IMAP_TOKEN(is_orig)[] &until($input.length() == 0);
+
+type IMAP_TOKEN(is_orig: bool) = record {
+	tag : TAG;
+	: SPACING;
+	command: TAG;
+	: OPTIONALSPACING;
+	tagcontent: CONTENT;
+	: NEWLINE;
+};
+
diff --git a/src/analyzer/protocol/imap/imap.pac b/src/analyzer/protocol/imap/imap.pac
new file mode 100644
index 0000000000..33382bc26d
--- /dev/null
+++ b/src/analyzer/protocol/imap/imap.pac
@@ -0,0 +1,35 @@
+# binpac file for the IMAP analyzer.
+# Note that we currently do not even try to parse the protocol
+# completely -- this is only supposed to be able to parse imap
+# till StartTLS does (or does not) kick in.
+
+%include binpac.pac
+%include bro.pac
+
+%extern{
+namespace analyzer { namespace imap { class IMAP_Analyzer; } }
+namespace binpac { namespace IMAP { class IMAP_Conn; } }
+typedef analyzer::imap::IMAP_Analyzer* IMAPAnalyzer;
+
+#include "IMAP.h"
+%}
+
+extern type IMAPAnalyzer;
+
+analyzer IMAP withcontext {
+	connection:	 IMAP_Conn;
+	flow:		 IMAP_Flow;
+};
+
+connection IMAP_Conn(bro_analyzer: IMAPAnalyzer) {
+	upflow = IMAP_Flow(true);
+	downflow = IMAP_Flow(false);
+};
+
+%include imap-protocol.pac
+
+flow IMAP_Flow(is_orig: bool) {
+	datagram = IMAP_PDU(is_orig) withcontext(connection, this);
+};
+
+%include imap-analyzer.pac
diff --git a/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log
new file mode 100644
index 0000000000..0ae19c2fda
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2015-07-22-17-31-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1437584567.812552	CXWv6p3arKYeMETxOg	192.168.17.53	49640	212.227.17.186	143	tcp	ssl,imap	2.827002	540	5653	SF	-	-	0	ShAdDafFr	18	1284	14	6225	(empty)
+#close	2015-07-22-17-31-02
diff --git a/testing/btest/Baseline/scripts.base.protocols.imap.starttls/ssl.log b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/ssl.log
new file mode 100644
index 0000000000..aefbf3d41e
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2015-07-22-17-31-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1437584568.570497	CXWv6p3arKYeMETxOg	192.168.17.53	49640	212.227.17.186	143	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	FOWmhO3rUj3SEB5RTb,FjH9n52SzEIJ9UoVK9,FisDHa396LIaZadgG9	(empty)	CN=imap.gmx.net,emailAddress=server-certs@1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media GmbH,C=DE	CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE	-	-
+#close	2015-07-22-17-31-02
diff --git a/testing/btest/Baseline/scripts.base.protocols.imap.starttls/x509.log b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/x509.log
new file mode 100644
index 0000000000..6d1be68725
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/x509.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2015-07-22-17-31-02
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1437584568.769690	FOWmhO3rUj3SEB5RTb	3	339D9ED8E73927C9	CN=imap.gmx.net,emailAddress=server-certs@1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media GmbH,C=DE	CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE	1384251451.000000	1479427199.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	imap.gmx.net,imap.gmx.de	-	-	-	F	-
+1437584568.769690	FjH9n52SzEIJ9UoVK9	3	21B6777E8CBD0EA8	CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE	CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE	1362146309.000000	1562716740.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0
+1437584568.769690	FisDHa396LIaZadgG9	3	26	CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE	CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE	931522260.000000	1562716740.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	5
+#close	2015-07-22-17-31-02
diff --git a/testing/btest/Traces/tls/imap-starttls.pcap b/testing/btest/Traces/tls/imap-starttls.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..f6bfe5458d4c78e9c9023da6c7f835b3a78f6c54
GIT binary patch
literal 8511
zcmds6XIN89x1OCw=p}SPf+$Mg0Rn<V2oNz!lO$9dCDMx!z;;xkVDF+RiXay3sMz%w
zyT^hJ5m69DI*La{4>rD;#0Dtm*M07H?|w4b{atHTduPv7TsTxj03`5j>+S{sgD1ys
z91u{aC;?x1jM~bO17TAtVoDNqV^yet1AtrFH8<c!QAv}Os52|-)lZ&l1}nsa8*d||
zQbKq413v%=Byt%>B$6<Us$jl!oHM#dA^>n4qMOPC;117Gli|u_Ky*5=hXMdjS#5@p
zkp!^fT(e&Z=M<E1XRgM`(+A*N2%SVA5*6SvLc9zS9pEu)ee@lcvli+5QPNA_I}r7>
zznU9(mm@>D&`bavXadxF>xDTA>X2R|M)lI`G}6mo7Z{Rp0L<xrW9eZYY=5>p*PF`^
zp>uuM{`RTD3<lj}G}qfRfa6Q&__E!-IdrZk{K369m&do_1oJt*o*Ylv8IRBA3wZFD
z&k10AThM*{0y%VFwhxEr&-UQZd2F7y6*qv+^9$h9dHx&^F5BBmz~j*QqXRf>PnKVR
zCntd8$rHGb;dt=r0<NdOH-r=T@;Kh;LJ*ffn(Ir4QUdsVZyud3;E!f``+31@(nEi5
zHrIE8RCRiqFf~J%N>3GrM@^@XrYFWmCr-l|c60`A&vY0reZ~s+!39YXR*aBLu3wsM
z1aqtvj;C`N)07pEYl2z`{kZ1JS>&3NxqV$T>bk$0Ye(lonQI<H6i?_})cQEsLGTHo
zSdRTAimn^*_zM7Q`VY6rG+SLo1}+c}wchRq!vs%}yIuG_-973$boUc~HDJi}fv-t7
z)XUt5WS|Gb2DRQ;n4;jBG;~sai3LNacqs~<ANu{@4I5<zYm@>%btN)6F(pAL5=P04
zPOc{R6AqHUkR#76>E*~LekES}VL1H#Hdhu7g%IUi1?dwG_VG6niuSBuqQG#N_W^~&
zxA>RoWq61R0--xm>+L`=T2L<y2HTzv^x6-Dp$+B!%shk$JMJ!wj!mMYtV$9_CyQdk
zMX||A^rYlWnG{nfrJs;{E|oH_my~j;6c}>$Bc<^M|4_)?g;=QGq1ML+!wx=1Hn=^l
zmkrvWCCi~Dzq}nUL&++m0uc;a)Ow>}Q--x7lwhl0qCiW=)BvDO#4sleU`!%WQ@3(p
z;w{s1ezrl?D2tHShd4szi%Tw@ZX7%<<CH;&3IInXxWrO2Ofp!aDNz91K`|%-TR=RB
z1F;|mIDz575q4-HSO9WBw!~IqEispvN>n9euo<ub6U>*`NGv2nB_<M@L>_DdTR|Zx
z0MU>#T){|S2W$ZY;9w)z0P?_kNLHS}1Gq~V5-W+BWQasXLIRth18l%Lzy@*>b%~rr
zNkRZ*K$2)ks6ZRgfErMiC`*Vy0cZgYpbC_LJm@As>j;1%AQ1sZfVT{QKF|Sra6bU(
z!eecq0+iu>^soXjfgVu?bTE*DQ3w<w86y+OkO@fy5|M}zA#D*b0)aq;;24HHX?{cz
zw330e^^QIAV?hIo3WrU7qoUai79u0<BIE-i2qFN$BN7D%Zs5(68*UwLRjPkl`p2q_
zu!M5&neTm6!?FrTa;J==U!#ypLr)PlrN15;LS=Z**x<&Hdw1;3Lf7J&n)b4j781x~
zirvtma0g(=A-4JsMWDVFsBZysd|WK&kBce83#GlF+HEeVYH}L-7p_c^H_sWJ^IjRl
z$Yg+L{l!qk<tan~i9#cIau`E!6Lg|LGvHhCrl*O7iD`6hl1P}EBu$a<1iDvZ#At>Q
zZipUJq-p<njGvmGCZc-?(bEhiTmd~mr4fAtf*2~e5;{|-k(rLROq`*HtDti^nw+mt
zloBIMV$kt{=!!f|M}XcJLZML*E;UvN|E%e@__rsBG#$P$LC6zE(s@$S^AAr;qkD3!
z82CUPWriJt!LViE3`aXgC_Ht5r;fIEOedyOD4w;sXI}^621urYk`}|1LH7xdO`x07
zeS}f5;j&H|;selqDoryWCN@c!5S|oe<sY5^4FQcIWN6@OvQEhRBqxc&Bf`^D8H4db
z-|Z`pX=}-N*(y?)DoS%>q$fo&tfPbsEu4nlB+`^(6T?%iAy-=`2}QUV8}ze#Fft&D
zF;xJsD-gsO2Cle@lpl-;YD`v)v6*r#wk@U9bB^|h3O->`LuFmV9Mx49ub--On>%o9
z>*Pn>?zwx-_F-XGqmH*O)lA9XT^zM>`bXW}_TlvI7p(Ri&$XtrXNfuba>k3Ao6bJE
z6}MxcOULRWP1`r41VP2^8p--C%ELOV7F{!3rEjP+b<kA1CVh)h)6@164OSdCxmrq-
z*tYGLvn|+c-L#^8?{wpWmF3;5NBCqNzi?ISS=E5%aW)nI#Gct15_ivRP3J$OR&=pG
zE4_aZz93TPp<Lion=w(bcQT%L8+k81QC6&7vc8TwsUW7EzG}gyOLd#}*UW$HN}GSG
zaiwPb#EbWu0@GAanZ2a75Qs3^i^aq!Tuhvd8$lBqnvisH?YWu}ezbCj==nGGJ{9`u
zE$PtWW3~p;5HnQ8ux=8GNFWzVBi3*TNgLOsP%S7h`sIj(??;&IwhBp`q&X=$M)&H-
z+z)eosurFIp}xf)Ox%cvAaQh30Pc@_Qsm+LB<zfrG68qQncqMNn6_DrNR;AiW0RSg
zX)S_bnkI~d4!4noK?;mio5++j>ljgD0#2n+qO+7>g@OJxM&L#yF{TSoG;vO$M<F}M
z^($6nYJ&9-fS+Mg6KuZb!lWO$FbU;?HGB!rx>lHVr7-JaPS&}EsBokf+WiJAGKuvS
zYltoW0}Y-aJj>*C*7r<@*QB`)_p)raOzv^BN4<a#p^9M{$%+!XqCAM55*rEACqS5y
z4EK<B6Jpaut`XsB{oH1mL%TSAvonT4OIg4xLvg!r*KjOn=vR9sN2dL*ljv3|?*08G
zLXO+N8W~mo+x=JmMrq~G?^*eM#NxrS%HJ{>fXGzQ?|mgq#j}cjQYvfhe~Z7^9zQ%L
zt>K0=lu!g5;Db@js*_-m6!$1&V#V)8ElT)vJ%e-u>lp@ACJwK@S#rwkg1vVG>C;n1
z-In^YMvLKgdyR`Ku=iaa+b$HChWnlvw}X{ZkiML_|3ltQIq^Zkd-JPFzC*6zWBo#o
zY}uB5#&-=<f*mw>U=6!Er_-W9l)2iXA@G6Ds0sY-yc_Is*G5zvTf_bQ=gNmitG--l
z{F}PC)1*4W<3x9A`Y=Q5_Ac{XZ;GPt%hPr(blkt@;Ym)O(vX?6uD3nw4x(sec_efz
zZ*SAuKKXNtX5g9!QRVd_`=&#Vr@y>bsJTt+9ILY4-%0t(-K9r|U@Hb647+|$b@D?~
zjRcbg3(hp)x=%OgF<!VVF_gb=cIcIhiQmZ86L%2)aXZVB52tbDE&|FHNX+@Tm^|+*
zIU66%oW1mnN=Ywk;Zu9^l>x2~Z4SAa<|#}UrA5XF=_qC6lN0G|uO5{AHIwN*DA@!@
zWd^d2exKI^l9M5Gvmwn&ITW|U84Nq-a9bzDp-!;IIUx?kamb<nkH!oC#<!*OI{X(m
zf=hGe)J+QFY`j~!%)D#I8JjP2EM`9L(qFM7cx!Z$jj#Loij^%Bk5*2wI&p&a`o_#{
z?#D;(aT_pIf0>$G_L5b`0me#SK8Dq4Qw*!OOi->pO3_WR;MS+P8Ez{)Jeak{IJY`v
z>3OfYlV)tFGM@kby?UE!zVkvkLg|Dx5upZ&tbCIYRg3u6>;b{YuV;QJQmnN5Ywh~P
zJkpoZ({0u{yH<x@i1Wyp{l&rBY?9NIt*of}nOko)XDm8)OsQkSu*+^S?gdv9edl?-
zJ+S%4tB%u@#Jv;m7pyC#@B3S5JWTt>i}00?nAJyi9a!KLAvf{!v7#&YR_1*&+h9{r
z6Mye3-x40<VnS6<I>jhI@#Qbs_h))$T$n!KWGC-|PTiszRyqj^hb=bS;TouZNUI4I
zr@*2Dhp_*XB%9TN<Qb8&n((aWxO3s~LWdmt{)<1V{3DMl_Ve}j*baSn?J(~7-PLU7
zSHg3EUvJ#zc-hz6^)vl`IW$T6V`ESL;5mHbk0BiZz(E9Ldr$tP06#zeBoFo^TN%Y~
zFU;Cnn6)J*Ytz3|hKDcfTjnDQmz559gt8xTIUD}jTKWkfng19H^kRCyUqi6HEInAB
z99MR_C?+{IRy6$wy?aA?hg@y)jo+l~tp%^B<L2M4LG~W_6MN&fKaX-`q|N^REFp*4
zzu%y(5Z(4P7UI|~KVf98{;x1tWDkbz`Ee#?OJAC=c_EjSR=K$=LF43+;6EfaOXFL1
zp9(X%l~R<_9$ZGVRU4st{Qk)>)}2AohsQp)s4j_MQ;zvP%-yRvGd7hOpENDAVouZK
z+y?6{Se4Cy;#zwLb%Wbh0d0q=wNv$jPEV%HaAk$ATKV>k`J*E__SS(43HKGNpEqV?
zXYI61CX`-d+FQ?c+kaba6Bx2B<rS-?qvHK3Tdl#=eTus(I##Zb7>vIaq1y1=r~Wlx
z?X~XWE0>(lbx-9N5iFHg<?82+`(w`zd*#bBFYf7@@BaDk+K6(sfJ|?~!VlMobL+R>
zetP<&rE&hYKVNJS`UcD<OFk4^dE4)tCQoT7OTFPOkORbGINXPfNmw9bOU(4YgC?D%
zya+!w8ITuy)8zjGbN?Hg?NKad)-5s9JgAv{z(wu3Q!;bHnEf@a;mdNlZ<C{n^(Rl+
zw##kM{D&3W8>X#MiNW@r@EPx1e(!jRyW5jn#V5rfajOUHHP~29wHPwAE7rv8@47b2
z8Tp+w!tL4iv(6W|fRH_%)k>YVE*5+Jt1B<m&Rct}L}`Pq3Uzc~Slq|zr@_G(cTy_b
zMT>$hpRjND@ik>P3)*%z$5{o~KXUFEpFXbo(HlnB%c*&`7x`MAN?rMa7yF**QVWZ7
z7IR<n$Sd@`@7D%T&%YaI;J)Y5{hhaBRM$O!8lIOCes$HX%8}sND*pvfH!C#mTYuN^
zvhyF;PgfJ|?=KI-I^*PyX&+4*Ge^c|?zr1e%=JrRQk4=D=^HDN`!L@xvUF`!$Udj2
zCbKr$m(UAKXhBy=gI|dde{B3y5zK-!KB)DcGa@7jno;F<mg`yhgIlGQUl$mKaRJDb
zOs<dq*s^HHytC`Xvyv(<usRCnCY>@X%bRg<1i#Hm$7{C!a>Y+Zj1UItP`S<<%PSEM
zf@g!O775DoM(>XLP-);$<vA@h)WkVxedi3^Z~vA!@39uk3yJk3>vmP#oq6|g$+J|K
zeFfcfL!Rez%HEAAz3HTvXWP(f9KP~7!+5#<!S^=IG1+R>O^Y3k{|t$&d!4<I!K>hF
zW~WSlYfZ@<nr>rsd~w&8ODC%wp3iG<5*|An8Tw|_fvmNT73`&zCY1wkb;b<vjNBS}
zawjvSs3C=%uVNCkVXZ>qNvFtRIji63&ae7-=N36IDhN(tVLnO#;}U@mn`G+lKsVmV
zuS(NvO?h{^e8^|<-jAB4`gZSkt4+0-pAo{YHFv(9el6y5HU@U8K1+@u`#;zqaSR77
z?2=>2dFSDv0<3ucR!lOCtT4R#$He4}I_jH&&c(g~-Ct^esp*y-Gv7v;rcN_k;Z$+=
z-uA@y{14Bj;p;0kUZjr-5{#=2)Y+joHDS$z=w*+zt+*`B%9Yz}J|;Im(vE+%roFXx
z-Rxr@>{c(E=qxeW7*t*(_PAIzW7nzmxsU%*?hLndJ^Q7-p)rN3X;S4>G;iP8Js0n{
zsdv>rR+kuEx^lU+O)lWY@e{9RSbQW0W0t=A?iXrw2ose~EVYWcP#iKwkYAIu?m(Qp
z*#oa`=HvBlr+o-p(ya!T@y=_xJ*PfAyuKn>FZn4m^v0siELYE=`cxOIk7Xm=SVvyg
z7vB-P+su73q`ollnE{R_97%9KS2`1Y5XR!~XQH(wXe<-oYl#PqWrADL>f5ugD2iwM
zLwU6Tp{%;ucSID1!x7P=Cr@O$?7yi9${-?Yz2~#Rjx-8FQMvO=6gZzfX@YDnb(9)h
zon({l-S3v4lA@8veBAaRV4P$j<)Fftk@R=xqwV<_mG@k!LrY!+1vW046%p4Gov&f(
znBbVTQa4jP)bIU(m-oE&FimJB3`4dWW_-0yzs4nZ=esg$6g^O5qn~_sb$*3>*M#MU
z*=FwB79VuYTsG&?_01@^KkZh5)8RncdgnF>6SSb*cG2sZ+hI7&?VWHf!szLC0Dck-
zaim*Q?QG+q0|yVznNjvW?(}@i^)oGJSG3;<9lyDF_AP!=Iug8kk4is|Ja3AO2dCtF
zEc-U^^eYLAgf95>L>YjS5M}xU3V?Q$wmvTKD_e$8ZWjI$1-f8s3IICLVuQX~tVC()
z8Bg-dET{O-ofAjSpWoU2gg>12&s_3a9umfc%K+I>7;1fNl_`Mh7jVt?Q!iUZLR*z1
zTa8te2^$07MjN(qSI1@TCbto>XM7lj%iH%Im>VhyZ41Uvy=u?hx~@Q^A3X2HnQgPu
zmr<>&_LKbIHNW%BPI4S^R=ass=J4GUw#P>yrD~v30tkm%AEmqmZBhqX^it}OR4F}R
zB&GtO1udYDG=dx9@52<<t=Y{+d$z~hnbR9h<BlUCT~NsHv#weLnYqNhmzm3<vkpOL
zeXNBmRtUxXTz@D6C4^$d{RPThh|*O%Lx#dW|D(fwT<*2$8A55`{SpPb-1_F%4u5s|
zF4N`2X5+}ogXG9_KGR!?t4f`bs_sz8?>n67frKb(^b+y{cKEKpx*MqF$yB|+O{t$H
aI6dhS+_YXxaA9|mAN)xGEJ{O1X!{RQJcKm>

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/imap/starttls.test b/testing/btest/scripts/base/protocols/imap/starttls.test
new file mode 100644
index 0000000000..380a594c2b
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/imap/starttls.test
@@ -0,0 +1,9 @@
+# @TEST-EXEC: bro -b -C -r $TRACES/tls/imap-starttls.pcap %INPUT
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log
+
+@load base/protocols/ssl
+@load base/protocols/conn
+@load base/frameworks/dpd
+@load base/protocols/imap