The latest release of Snort++ (build 152) includes the ported SMTP, POP and IMAP inspectors. This blog describes the changes to Snort's mail protocol preprocessors in Snort++.
Snort++'s mail inspectors are purely PDU based. The PDU boundaries in TCP stream are identified and divided which are then processed by these inspectors.
Changes to mail protocol inspectors config:
binder = {
Changes to SMTP config:
smtp =
Eg:
The following command will give you the complete list of options for the mail inspectors.
Snort++'s mail inspectors are purely PDU based. The PDU boundaries in TCP stream are identified and divided which are then processed by these inspectors.
Changes to mail protocol inspectors config:
- Memory related options such as memcap, max_mime_mem, disable are now deleted.
- Ports are now added to bindings as follows:
binder = {
when =
{
proto = 'tcp',
ports = '25 465 587 691 465 587 691',
},
use =
{
type = 'smtp',
},
},
- Config options to disable alerts are deleted.
- User can now search the for content in the decoded MIME attachments using the rule option "file_data" instead of "file_data:mime"
Changes to SMTP config:
- Deleted option inspection_type. SMTP inspector in Snort++ will always inspect SMTP statefully.
- alt_max_command_line_len syntax has changed. The new syntax for this option is as follows:
smtp =
{
alt_max_command_line_len =
{
{
command = 'MAIL',
length = 260,
},
},}
- All SMTP config options (such as normalize_cmds, data_cmds, valid_cmds etc) that take command or list of commands as arguments have the following syntax.
Eg:
valid_cmds = [[ CMD1 CMD2 ... CMDn ]]
The following command will give you the complete list of options for the mail inspectors.
snort --help-config | grep