[Bro] SSL Decrypt + SMTP
Johanna Amann
johanna at icir.org
Mon Dec 1 13:28:21 PST 2014
Hello Joe,
> I was hoping someone has done this before, but we're trying to log our SMTP
> connections which we decrypt. In the packets, you'll see STARTTLS, but
> everything after that is clear text.
>
> Does anyone have a good mechanism for allowing the indexing to go past the
> STARTTLS? I was thinking about changing/removing this, but wanted to
> consult the list before going too far:
>
> // If an TLS transaction has been initiated, forward to child and abort. if (
> state == SMTP_IN_TLS ) { ForwardStream(length, line, orig); return; }
> The underlying packets are the same as regular SMTP, they're just being
> decrypted by an appliance.
The easy fix should be to remove the call to StartTLS() in line 768. This
will prevent the state to be set to SMTP_IN_TLS, and also keep the support
analyzers that the call removes if a TLS connection is started.
Johanna
More information about the Bro
mailing list