[Bro] SSL Decrypt + SMTP
Joe Blow
blackhole.em at gmail.com
Mon Dec 1 12:56:31 PST 2014
Hey Bro folks,
I was hoping someone has done this before, but we're trying to log our SMTP
connections which we decrypt. In the packets, you'll see STARTTLS, but
everything after that is clear text.
Does anyone have a good mechanism for allowing the indexing to go past the
STARTTLS? I was thinking about changing/removing this, but wanted to
consult the list before going too far:
// If an TLS transaction has been initiated, forward to child and abort. if (
state == SMTP_IN_TLS ) { ForwardStream(length, line, orig); return; }
The underlying packets are the same as regular SMTP, they're just being
decrypted by an appliance.
Any ideas?
Cheers,
JB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141201/bfca6738/attachment.html
More information about the Bro
mailing list