Hey Bro folks,
I was hoping someone has done this before, but we’re trying to log our SMTP connections which we decrypt. In the packets, you’ll see STARTTLS, but everything after that is clear text.
Does anyone have a good mechanism for allowing the indexing to go past the STARTTLS? I was thinking about changing/removing this, but wanted to consult the list before going too far:
// If an TLS transaction has been initiated, forward to child and abort.
if ( state == SMTP_IN_TLS )
{
ForwardStream(length, line, orig);
return;
}
The underlying packets are the same as regular SMTP, they’re just being decrypted by an appliance.
Any ideas?
Cheers,
JB
Hello Joe,
I was hoping someone has done this before, but we're trying to log our SMTP
connections which we decrypt. In the packets, you'll see STARTTLS, but
everything after that is clear text.
Does anyone have a good mechanism for allowing the indexing to go past the
STARTTLS? I was thinking about changing/removing this, but wanted to
consult the list before going too far:
// If an TLS transaction has been initiated, forward to child and abort. if (
state == SMTP_IN_TLS ) { ForwardStream(length, line, orig); return; }
The underlying packets are the same as regular SMTP, they're just being
decrypted by an appliance.
The easy fix should be to remove the call to StartTLS() in line 768. This
will prevent the state to be set to SMTP_IN_TLS, and also keep the support
analyzers that the call removes if a TLS connection is started.
Johanna