[Bro-Dev] [JIRA] (BIT-1203) Fixing SMTP state tracking in topic/robin/smtp-fix

Jon Siwek (JIRA) jira at bro-tracker.atlassian.net
Wed Jun 11 15:21:07 PDT 2014 

    [ https://bro-tracker.atlassian.net/browse/BIT-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16806#comment-16806 ] 

Jon Siwek commented on BIT-1203:
--------------------------------

I think it seems fine now for what the scope of what the SMTP script current does: it's mostly concerned with tracking/logging the envelopes/header-fields created by the client, the server's last response is tracked/logged, but doesn't really factor in to any logic decisions, with the exception of any reply to '.' being a place to possibly flush/log the envelope/headers it's been tracking.

Q: Can pipelining disrupt Bro's tracking of envelopes/header-fields?
A: I don't think so because the protocol forces synchronization after DATA and Bro syncs up on either the next reply to '.' or the next MAIL signaling a new transaction.  Doesn't seem like there's any place for enveloper/header info to get mixed anymore.

Q: Can pipelining cause the logging of $last_reply field to wrong/different?
A: Consider the two places bro syncs up the logging: (1) after a reply to '.', we know the protocol is already synchronized, so the next reply seen should be the correct/best one to log. (2) On seeing  "MAIL FROM", but not having logged previous envelope/header info -- does seem like pipelining could cause the value of $last_reply to vary, but not sure that's different from the situation in which responses from the server may have been missed (though, maybe there's some distinguishing between the two situations that can be done).

Hope that helps explain my reasoning.

> Fixing SMTP state tracking in topic/robin/smtp-fix
> --------------------------------------------------
>
>                 Key: BIT-1203
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1203
>             Project: Bro Issue Tracker
>          Issue Type: Improvement
>          Components: Bro
>            Reporter: Robin Sommer
>            Assignee: Jon Siwek
>             Fix For: 2.3
>
>         Attachments: signature.asc
>
>
>  This fixes the case that an SMTP session has multiple mails sent from
>  the originator but we miss the server's response (e.g., because we
>  don't see server side packets at all).
> topic/robin/smtp-fix in bro and bro-testing-private



--
This message was sent by Atlassian JIRA
(v6.3-OD-06-017#6327)

More information about the bro-dev mailing list