Basic IMAP StartTLS analyzer.

Parses certificates out of imap connections using StartTLS. Aborts processing if StartTLS is not found.
2025-10-02 14:48:21 +00:00 · 2015-07-22 10:35:49 -07:00 · 2015-07-22 10:35:49 -07:00 · 4a5737708c
commit 4a5737708c
parent 871b340ade
17 changed files with 331 additions and 0 deletions
--- a/scripts/base/protocols/imap/README
+++ b/scripts/base/protocols/imap/README
@ -0,0 +1,5 @@
+Support for the Internet Message Access Protocol (IMAP).
+
+Note that currently the IMAP analyzer only supports analyzing IMAP sessions
+until they do or do not switch to TLS using StartTLS. Hence, we do not get
+mails from IMAP sessions, only X509 certificates.
--- a/scripts/base/protocols/imap/load.bro
+++ b/scripts/base/protocols/imap/load.bro
@ -0,0 +1,2 @@
+@load ./main
+
--- a/scripts/base/protocols/imap/main.bro
+++ b/scripts/base/protocols/imap/main.bro
@ -0,0 +1,11 @@
+
+module IMAP;
+
+const ports = { 143/tcp };
+redef likely_server_ports += { ports };
+
+event bro_init() &priority=5
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, ports);
+	}
+