Thursday, May 21, 2015

Mail Protocol Inspectors in Snort++

The latest release of Snort++ (build 152) includes the ported SMTP, POP and IMAP inspectors. This blog describes the changes to Snort's mail protocol preprocessors in Snort++.

Snort++'s mail inspectors are purely PDU based. The PDU boundaries in TCP stream are identified and divided which are then processed by these inspectors.

Changes to mail protocol inspectors config:

  • Memory related options such as memcap, max_mime_mem, disable are now deleted.
  • Ports are now added to bindings as follows:

binder =     {
        when =
            proto = 'tcp',
            ports = '25 465 587 691 465 587 691',
        use =
            type = 'smtp',

  • Config options to disable alerts are deleted.
  • User can now search the for content in the decoded MIME attachments using the rule option "file_data" instead of "file_data:mime"

Changes to SMTP config:
  •  Deleted option inspection_type. SMTP inspector in Snort++ will always inspect SMTP statefully.
  • alt_max_command_line_len syntax has changed. The new syntax for this option is as follows:

smtp =
    alt_max_command_line_len =
            command = 'MAIL',
            length = 260,
  • All SMTP config options (such as normalize_cmds, data_cmds, valid_cmds etc) that take command or list of commands as arguments have the following syntax.

   valid_cmds = [[ CMD1 CMD2 ... CMDn ]]

The following command will give you the complete list of options for the mail inspectors.

snort --help-config | grep