diff -Naur snort-2.7.0.1/src/dynamic-preprocessors/smtp/smtp_config.c ss-snort-2.7.0.1-smtp/src/dynamic-preprocessors/smtp/smtp_config.c --- snort-2.7.0.1/src/dynamic-preprocessors/smtp/smtp_config.c 2007-07-03 14:41:41.000000000 -0600 +++ ss-snort-2.7.0.1-smtp/src/dynamic-preprocessors/smtp/smtp_config.c 2007-09-11 10:24:51.000000000 -0600 @@ -31,6 +31,10 @@ * */ + /* Copyright © 2007 Latis Networks, Inc. ((d.b.a. StillSecure) + applies to marked preprocessor drops */ + + #include #include #include @@ -65,6 +69,14 @@ #define DISABLE "disable" #define INLINE_DROP "drop" +/** StillSecure **/ +#define DROP_COMMAND_OVERFLOW "drop_command_overflow" +#define DROP_DATA_HDR_OVERFLOW "drop_data_hdr_overflow" +#define DROP_RESPONSE_OVERFLOW "drop_response_overflow" +#define DROP_SPECIFIC_CMD_OVERFLOW "drop_specific_cmd_overflow" +#define DROP_UNKNOWN_CMD "drop_unknown_cmd" +#define DROP_ILLEGAL_COMMAND "drop_illegal_cmd" +/** End StillSecure **/ #define STATEFUL "stateful" #define STATELESS "stateless" @@ -207,6 +219,14 @@ _smtp_config.alert_xlink2state = 1; _smtp_config.drop_xlink2state = 0; + /** StillSecure **/ + _smtp_config.drop_command_overflow = 0; + _smtp_config.drop_data_hdr_overflow = 0; + _smtp_config.drop_response_overflow = 0; + _smtp_config.drop_specific_cmd_overflow = 0; + _smtp_config.drop_unknown_cmd = 0; + _smtp_config.drop_illegal_cmd = 0; + /** End StillSecure **/ /* * Build configured list of commands we do not alert on. */ @@ -354,6 +374,32 @@ { _smtp_config.print_cmds = 1; } + /** StillSecure **/ + else if ( !strcasecmp(DROP_COMMAND_OVERFLOW, arg) ) + { + _smtp_config.drop_command_overflow = 1; + } + else if ( !strcasecmp(DROP_DATA_HDR_OVERFLOW, arg) ) + { + _smtp_config.drop_data_hdr_overflow = 1; + } + else if ( !strcasecmp(DROP_RESPONSE_OVERFLOW, arg) ) + { + _smtp_config.drop_response_overflow = 1; + } + else if ( !strcasecmp(DROP_SPECIFIC_CMD_OVERFLOW, arg) ) + { + _smtp_config.drop_specific_cmd_overflow = 1; + } + else if ( !strcasecmp(DROP_UNKNOWN_CMD, arg) ) + { + _smtp_config.drop_unknown_cmd = 1; + } + else if ( !strcasecmp(DROP_ILLEGAL_COMMAND, arg) ) + { + _smtp_config.drop_illegal_cmd= 1; + } + /** End StillSecure **/ else { DynamicPreprocessorFatalMessage("%s(%d) => Unknown SMTP configuration option %s\n", @@ -443,6 +489,20 @@ _smtp_config.alert_xlink2state ? "YES" : "NO"); _dpd.logMsg(" Drop on X-Link2State Alert: %s\n", _smtp_config.drop_xlink2state ? "YES" : "NO"); + /** StillSecure **/ + _dpd.logMsg(" Drop Command Buffer Overflow: %s\n", + _smtp_config.drop_command_overflow ? "YES" : "NO"); + _dpd.logMsg(" Drop Data Header Buffer Overflow: %s\n", + _smtp_config.drop_data_hdr_overflow? "YES" : "NO"); + _dpd.logMsg(" Drop Response Buffer Overflow: %s\n", + _smtp_config.drop_data_hdr_overflow? "YES" : "NO"); + _dpd.logMsg(" Drop Specific Command Overflow: %s\n", + _smtp_config.drop_specific_cmd_overflow? "YES" : "NO"); + _dpd.logMsg(" Drop Unknown Command: %s\n", + _smtp_config.drop_unknown_cmd? "YES" : "NO"); + _dpd.logMsg(" Drop Illegal Command: %s\n", + _smtp_config.drop_illegal_cmd? "YES" : "NO"); + /** End StillSecure **/ if ( _smtp_config.print_cmds ) { diff -Naur snort-2.7.0.1/src/dynamic-preprocessors/smtp/snort_smtp.c ss-snort-2.7.0.1-smtp/src/dynamic-preprocessors/smtp/snort_smtp.c --- snort-2.7.0.1/src/dynamic-preprocessors/smtp/snort_smtp.c 2007-07-03 14:41:41.000000000 -0600 +++ ss-snort-2.7.0.1-smtp/src/dynamic-preprocessors/smtp/snort_smtp.c 2007-09-11 10:25:07.000000000 -0600 @@ -32,6 +32,10 @@ * * */ + + /* Copyright © 2007 Latis Networks, Inc. ((d.b.a. StillSecure) + applies to marked preprocessor drops */ + #include #include #include @@ -649,6 +653,12 @@ { SMTP_GenerateAlert(SMTP_EVENT_ILLEGAL_CMD, "%s: %s", SMTP_ILLEGAL_CMD_STR, _smtp_config.cmd[_smtp->token_iid].name); + /** StillSecure **/ + if (_smtp_config.drop_illegal_cmd && _dpd.inlineMode()) + { + _dpd.inlineDrop(p); + } + /** End StillSecure **/ } if ( _smtp_config.normalize ) @@ -709,6 +719,12 @@ if ( _smtp_config.alert_unknown_cmds ) { SMTP_GenerateAlert(SMTP_EVENT_UNKNOWN_CMD, "%s", SMTP_UNKNOWN_CMD_STR); + /** StillSecure **/ + if (_smtp_config.drop_unknown_cmd && _dpd.inlineMode()) + { + _dpd.inlineDrop(p); + } + /** End StillSecure **/ } } } @@ -734,6 +750,12 @@ SMTP_GenerateAlert(SMTP_EVENT_SPECIFIC_CMD_OVERFLOW, "%s: %s, %d chars", SMTP_SPECIFIC_CMD_OVERFLOW_STR, _smtp_config.cmd[_smtp->token_iid].name, count); + /** StillSecure **/ + if (_smtp_config.drop_specific_cmd_overflow && _dpd.inlineMode()) + { + _dpd.inlineDrop(p); + } + /** End StillSecure **/ } else if ( _smtp_config.max_command_line_len != 0 && count > _smtp_config.max_command_line_len ) @@ -741,6 +763,12 @@ SMTP_GenerateAlert(SMTP_EVENT_COMMAND_OVERFLOW, "%s: more than %d chars", SMTP_COMMAND_OVERFLOW_STR, _smtp_config.max_command_line_len); + /** StillSecure **/ + if (_smtp_config.drop_command_overflow && _dpd.inlineMode()) + { + _dpd.inlineDrop(p); + } + /** End StillSecure **/ } count = 0; /* Reset found string */ @@ -756,6 +784,12 @@ SMTP_GenerateAlert(SMTP_EVENT_SPECIFIC_CMD_OVERFLOW, "%s: %s, %d chars", SMTP_SPECIFIC_CMD_OVERFLOW_STR, _smtp_config.cmd[_smtp->token_iid].name, count); + /** StillSecure **/ + if (_smtp_config.drop_specific_cmd_overflow && _dpd.inlineMode()) + { + _dpd.inlineDrop(p); + } + /** End StillSecure **/ } else if ( _smtp_config.max_command_line_len != 0 && count > _smtp_config.max_command_line_len ) @@ -763,6 +797,12 @@ SMTP_GenerateAlert(SMTP_EVENT_COMMAND_OVERFLOW, "%s: more than %d chars", SMTP_COMMAND_OVERFLOW_STR, _smtp_config.max_command_line_len); + /** StillSecure **/ + if (_smtp_config.drop_command_overflow && _dpd.inlineMode()) + { + _dpd.inlineDrop(p); + } + /** End StillSecure **/ } } return i; @@ -837,6 +877,12 @@ { SMTP_GenerateAlert(SMTP_EVENT_DATA_HDR_OVERFLOW, "%s: %d chars", SMTP_DATA_HDR_OVERFLOW_STR, count); + /** StillSecure **/ + if (_smtp_config.drop_data_hdr_overflow && _dpd.inlineMode()) + { + _dpd.inlineDrop(p); + } + /** End StillSecure **/ } count = 0; } @@ -1138,6 +1184,12 @@ { SMTP_GenerateAlert(SMTP_EVENT_RESPONSE_OVERFLOW, "%s: %d chars", SMTP_RESPONSE_OVERFLOW_STR, count); + /** StillSecure **/ + if (_smtp_config.drop_response_overflow && _dpd.inlineMode()) + { + _dpd.inlineDrop(p); + } + /** End StillSecure **/ } count = 0; } diff -Naur snort-2.7.0.1/src/dynamic-preprocessors/smtp/snort_smtp.h ss-snort-2.7.0.1-smtp/src/dynamic-preprocessors/smtp/snort_smtp.h --- snort-2.7.0.1/src/dynamic-preprocessors/smtp/snort_smtp.h 2007-07-03 14:41:41.000000000 -0600 +++ ss-snort-2.7.0.1-smtp/src/dynamic-preprocessors/smtp/snort_smtp.h 2007-09-11 10:25:17.000000000 -0600 @@ -27,6 +27,10 @@ * */ + /* Copyright © 2007 Latis Networks, Inc. ((d.b.a. StillSecure) + applies to marked preprocessor drops */ + + #ifndef __SMTP_H__ #define __SMTP_H__ @@ -188,6 +192,15 @@ SMTP_token *cmd; int cmd_size; + /** StillSecure **/ + u_int drop_command_overflow; //SMTP_COMMAND_OVERFLOW + u_int drop_data_hdr_overflow; //SMTP_DATA_HDR_OVERFLOW + u_int drop_response_overflow; //SMTP_RESPONSE_OVERFLOW + u_int drop_specific_cmd_overflow; //SMTP_SPECIFIC_CMD_OVERFLOW + u_int drop_unknown_cmd; //SMTP_UNKNOWN_CMD + u_int drop_illegal_cmd; //SMTP_ILLEGAL_CMD + /** End StillSecure **/ + } SMTP_CONFIG ; /* Exported functions */