/
README.SMTP
359 lines (284 loc) · 15.8 KB
/
README.SMTP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
SMTP
====
Andrew Mullican <amullican@sourcefire.com>
Thanks to Dan Roelker <droelker@sourcefire.com>,
Marc Norton <mnorton@sourcefire.com>, and Steve Sturges
<ssturges@sourcefire.com> for their help with the design.
-- Overview --
SMTP is an SMTP decoder for user applications. Given a data buffer,
SMTP will decode the buffer and find SMTP commands and responses.
It will also mark the command, data header data body sections, as well
as TLS data.
SMTP handles stateless and stateful processing. It saves state
between individual packets. However maintaining correct state is
dependent on the reassembly of the client side of the stream (i.e., a
loss of coherent stream data results in a loss of state).
-- Configuration --
SMTP has the usual configuration items, such as port and inspection_type.
Also, SMTP command lines can be normalized to remove extraneous spaces.
TLS-encrypted traffic can be ignored, which improves performance. In addition,
regular mail data can be ignored for an additional performance boost. Since
so few (none in the current snort ruleset) exploits are against mail data,
this is relatively safe to do and can improve the performance of data
inspection.
The configuration options are described below:
* ports { port [port] ... } *
This specifies on what ports to check for SMTP data. Typically, this will
include 25 and possibly 465, for encrypted SMTP.
Default ports if none are specified are 25, 587 (Message submission - see
RFC 2476) and 691 (X-LINK2STATE). If alerting on the X-LINK2STATE vulnerability
is disabled, port 691 will be removed from the default ports.
DEFAULT { 25 587 691 }
* inspection_type stateful|stateless
Indicate whether to operate in stateful or stateless mode.
* normalize all|none|cmds *
This turns on normalization. Normalization checks for more than one space
character after a command. Space characters are defined as space (ASCII 0x20)
or tab (ASCII 0x09).
all checks all commands
none turns off normalization for all commands.
cmds just checks commands listed with the "normalize_cmds" parameter.
* ignore_data *
Ignore data section of mail (except for mail headers) when processing rules.
* ignore_tls_data *
Ignore TLS-encrypted data when processing rules.
* max_command_line_len <int> *
Alert if an SMTP command line is longer than this value. Absence of this
option or a "0" means never alert on command line length.
RFC 2821 recommends 512 as a maximum command line length.
* max_header_line_len <int> *
Alert if an SMTP DATA header line is longer than this value. Absence of this
option or a "0" means never alert on data header line length.
RFC 2821 recommends 1024 as a maximum data header line length.
* max_response_line_len <int> *
Alert if an SMTP response line is longer than this value. Absence of this
option or a "0" means never alert on response line length.
RFC 2821 recommends 512 as a maximum response line length.
* alt_max_command_line_len <int> { <cmd> [<cmd>] }
Overrides max_command_line_len for specific commands
* no_alerts *
Turn off all alerts for this preprocessor.
* invalid_cmds { <Space-delimited list of commands> } *
Alert if this command is sent from client side.
DEFAULT empty list
* valid_cmds { <Space-delimited list of commands> } *
List of valid commands. We do not alert on commands in this list.
DEFAULT empty list, but preprocessor has this list hard-coded:
{ ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN }
{ HELO HELP IDENT MAIL NOOP QUIT RCPT RSET SAML SOML SEND ONEX QUEU }
{ STARTTLS TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE }
{ XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR }
* data_cmds { <Space-delimited list of commands> } *
List of commands that initiate sending of data with an end of data delimiter
the same as that of the DATA command per RFC 5321 - "<CRLF>.<CRLF>".
DEFAULT { DATA }
* binary_data_cmds { <Space-delimited list of commands> } *
List of commands that initiate sending of data and use a length value after
the command to indicate the amount of data to be sent, similar to that of the
BDAT command per RFC 3030.
DEFAULT { BDAT XEXCH50 }
* auth_cmds { <Space-delimited list of commands> } *
List of commands that initiate an authentication exchange between client
and server.
DEFAULT { AUTH XAUTH X-EXPS }
* alert_unknown_cmds *
Alert if we don't recognize command.
DEFAULT off
* normalize_cmds { <Space-delimited list of commands> } *
Normalize this list of commands
DEFAULT { RCPT VRFY EXPN }
* xlink2state { enable/disable [drop] }
See CVE-2005-0560 for a description of the vulnerability.
Enable/disable xlink2state alert
Drop if alerted
DEFAULT { enable }
* print_cmds *
List all commands understood by the preprocessor. This not normally
printed out with the configuration because it prints so much data.
* disabled *
Disables the SMTP preprocessor in a config. This is useful when specifying
the decoding depths such as b64_decode_depth, qp_decode_depth, uu_decode_depth,
bitenc_decode_depth or the memcap used for decoding max_mime_mem in default config
without turning on the SMTP preprocessor.
* b64_decode_depth *
This config option is used to turn off/on or set the base64 decoding depth used to
decode the base64 encoded MIME attachments. The value ranges from -1 to 65535.
A value of -1 turns off the base64 decoding of MIME attachments. The value of 0
sets the decoding of base64 encoded MIME attachments to unlimited. A value other
than 0 or -1 restricts the decoding of base64 MIME attachments, and applies per attachment.
A SMTP preprocessor alert with sid 10 is generated (if enabled) when the decoding fails.
Multiple MIME attachments/data in one packet are pipelined. When stateful inspection
is turned on the base64 encoded MIME attachments/data across multiple packets are
decoded too.
The decoded data is available for detection using the rule option file_data.
See file_data rule option for more details.
This option replaces the deprecated options, enable_mime_decoding and max_mime_depth.
It is recommended that user inputs a value that is a multiple of 4. When the value
specified is not a multiple of 4, the SMTP preprocessor will round it up to the next
multiple of 4.
In case of multiple configs, the value specified in the non-default config cannot
exceed the value specified in the default config.
* qp_decode_depth *
This config option is used to turn off/on or set the Quoted-Printable decoding depth
used to decode the Quoted-Printable(QP) encoded MIME attachments. The value ranges
from -1 to 65535. A value of -1 turns off the QP decoding of MIME attachments.
The value of 0 sets the decoding of QP encoded MIME attachments to unlimited. A
value other than 0 or -1 restricts the decoding of QP MIME attachments, and applies
per attachment. A SMTP preprocessor alert with sid 11 is generated (if enabled) when
the decoding fails.
Multiple MIME attachments/data in one packet are pipelined. When stateful inspection
is turned on the QP encoded MIME attachments/data across multiple packets are decoded too.
The decoded data is available for detection using the rule option file_data.
See file_data rule option for more details.
In case of multiple configs, the value specified in the non-default config cannot exceed
the value specified in the default config.
* bitenc_decode_depth *
This config option is used to turn off/on or set the non-encoded MIME extraction
depth used to extract the non-encoded MIME attachments. The value ranges from -1
to 65535. A value of -1 turns off the extraction of these MIME attachments.
The value of 0 sets the extraction of these MIME attachments to unlimited.
A value other than 0 or -1 restricts the extraction of these MIME attachments, and applies
per attachment.
Multiple MIME attachments/data in one packet are pipelined. When stateful inspection
is turned on the non-encoded MIME attachments/data across multiple packets are
extracted too.
The extracted data is available for detection using the rule option file_data.
See file_data rule option for more details.
In case of multiple configs, the value specified in the non-default config cannot exceed
the value specified in the default config.
* uu_decode_depth *
This config option is used to turn off/on or set the Unix-to-Unix decoding depth
used to decode the Unix-to-Unix(UU) encoded attachments. The value ranges
from -1 to 65535. A value of -1 turns off the UU decoding of SMTP attachments.
The value of 0 sets the decoding of UU encoded SMTP attachments to unlimited. A
value other than 0 or -1 restricts the decoding of UU SMTP attachments, and applies per
attachment. A SMTP preprocessor alert with sid 13 is generated (if enabled) when the decoding fails.
Multiple UU Encoded attachments/data in one packet are pipelined. When stateful inspection
is turned on the UU encoded attachments/data across multiple packets are decoded too.
The decoded data is available for detection using the rule option file_data.
See file_data rule option for more details.
In case of multiple configs, the value specified in the non-default config cannot exceed
the value specified in the default config.
* enable_mime_decoding *
Enables Base64 decoding of Mime attachments/data. Multiple base64 encoded MIME
attachments/data in one packet are pipelined. When stateful inspection is turned
on the base64 encoded MIME attachments/data across multiple packets are decoded too.
The decoding of base64 encoded attachments/data ends when either the max_mime_depth
or maximum MIME sessions (calculated using max_mime_depth and max_mime_mem) is
reached or when the encoded data ends. The decoded data is available for detection
using the rule option file_data. See file_data rule option for more details.
Please note, this option is deprecated. Use the option b64_decode_depth to turn off
or on the base64 decoding instead.
* max_mime_depth <int> *
Specifies the maximum number of base64 encoded data to decode per attachment.
The option take values ranging from 4 to 20480 bytes. The default value for this
in snort in 1460 bytes.
It is recommended that user inputs a value that is a multiple of 4. When the value
specified is not a multiple of 4, the SMTP preprocessor will round it up to the next
multiple of 4.
Please note, this option is deprecated. Use the b64_decode_depth to set the decoding
depth for base64 decoding instead.
* max_mime_mem <int> *
This option determines (in bytes) the maximum amount of memory the SMTP preprocessor
will use for decoding base64 encoded/quoted-printable/non-encoded MIME attachments/data
or Unix-to-Unix encoded attachments. This value can be set from 3276 bytes to 100MB.
This option along with the maximum of the decoding depths will determine the SMTP
sessions that will be decoded at any given instant. The default value for this option
is 838860.
Note: It is suggested to set this value such that the max smtp session calculated as
follows is at least 1.
max smtp session = max_mime_mem /(2 * max of (b64_decode_depth, uu_decode_depth, qp_decode_depth
or bitenc_decode_depth))
For example, if b64_decode_depth is 0 (indicates unlimited decoding) and qp_decode_depth is 100, then
max smtp session = max_mime_mem/2*65535 (max value for b64_decode_depth)
In case of multiple configs, the max_mime_mem of the non-default configs will be overwritten by the
default config's value. Hence user needs to define it in the default config with the new keyword
disabled (used to disable SMTP preprocessor in a config).
* log_mailfrom *
This option enables SMTP preprocessor to parse and log the sender's email address extracted
from the "MAIL FROM" command along with all the generated events for that session. The maximum
number of bytes logged for this option is 1024.
Please note, this is logged only with the unified2 output and is not logged with console output (-A cmg).
u2spewfoo can be used to read this data from the unified2.
* log_rcptto *
This option enables SMTP preprocessor to parse and log the recipient email addresses
extracted from the "RCPT TO" command along with all the generated events for that session.
Multiple recipients are appended with commas. The maximum number of bytes logged for this option is 1024.
Please note, this is loggged only with the unified2 output and is not logged with console output (-A cmg).
U2spewfoo can be used to read this data from the unified2.
* log_filename *
This option enables SMTP preprocessor to parse and log the MIME attachment filenames extracted
from the Content-Disposition header within the MIME body along with all the generated events
for that session. Multiple filenames are appended with commas. The maximum number of bytes
logged for this option is 1024.
Please note,this is logged only with the unified2 output and is not logged with the
console output (-A cmg). u2spewfoo can be used to read this data from the unified2.
* log_email_hdrs *
This option enables SMTP preprocessor to parse and log the SMTP email headers extracted from
SMTP data along with all generated events for that session. The number of bytes extracted and
logged depends upon the email_hdrs_log_depth.
Please note, this is logged only with the unified2 output and is not logged with the console output (-A cmg).
u2spewfoo can be used to read this data from the unified2.
* email_hdrs_log_depth <int> *
This option specifies the depth for logging email headers. The allowed range for this option is
0 - 20480. A value of 0 will disable email headers logging. The default value for this option is 1464.
Please note, in case of multiple configs, this default config's value is used. The values specified in
the non-default config will be ignored and overwritten by the default config's values.
This option must be configured in the default config even if the SMTP configuration is disabled.
* memcap <int>*
This option determines in bytes the maximum amount of memory the SMTP preprocessor will
use for logging of filename, MAIL FROM addresses, RCPT TO addresses and email headers. This value
along with the buffer size used to log MAIL FROM, RCPT TO, filenames and email_hdrs_log_depth will
determine the maximum SMTP sessions that will log the email headers at any given time. When this memcap is
reached SMTP will stop logging the filename, MAIL FROM address, RCPT TO addresses and email headers
until memory becomes available.
Max SMTP sessions logging email headers at any given time
= memcap/(1024 + 1024 + 1024 + email_hdrs_log_depth)
The size 1024 is the maximum buffer size used for logging filename, RCPTTO and MAIL FROM addresses.
Default value for this option is 838860. The allowed range for this option is 3276 to 104857600.
The value specified in the default config is used when this option is specified in multiple configs.
This option must be configured in the default config even if the SMTP configuration is disabled.
Example:
preprocessor SMTP: \
ports { 25 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
ignore_data \
ignore_tls_data \
max_command_line_len 512 \
max_header_line_len 1024 \
max_response_line_len 512 \
no_alerts \
alt_max_command_line_len 300 { RCPT } \
invalid_cmds { } \
valid_cmds { } \
xlink2state { disable } \
print_cmds \
log_filename \
log_email_hdrs \
log_mailfrom \
log_rcptto \
email_hdrs_log_depth 2920 \
memcap 6000
preprocessor SMTP: \
max_mime_depth 100 \
max_mime_mem 4000 \
memcap 6000 \
email_hdrs_log_depth 2920 \
disabled
Default:
preprocessor SMTP: \
ports { 25 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
Notes:
"RCPT TO:" and "MAIL FROM:" are SMTP commands. For the preprocessor
configuration, they are referred to as RCPT and MAIL, respectively.
Within the code, the preprocessor actually maps RCPT and MAIL to the
correct command name.