Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Email mime part data_state reassembly problem

From: "Bhagya Bantwal (bbantwal)" <bbantwal () cisco com>
Date: Thu, 11 Dec 2014 15:03:03 +0000

Hello Mitesh,

So this code actually just returns a paf verdict PAFLIMIT and not PAFFLUSH. This was added to handle boundaries split 
across packets (especially at the LF--). It shouldn't cause the flush of attachments with LF. Are you seeing this 
behavior?

Thanks!


From: Mitesh Jadia <mitesh.jadia () gmail com<mailto:mitesh.jadia () gmail com>>
Date: Tuesday, December 9, 2014 2:57 AM
To: "Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net>" <Snort-devel () lists 
sourceforge net<mailto:Snort-devel () lists sourceforge net>>
Subject: [Snort-devel] Email mime part data_state reassembly problem

Hello,

I found that when \n character found in mime data following mime header found in pop paf function flushes stream at 
that point.

scanning_boundary function is responsible for that.

static inline bool scanning_boundary(MimeDataPafInfo *mime_info, uint32_t boundary_start, uint32_t* fp)
{
    if (boundary_start &&
            mime_info->data_state == MIME_PAF_FOUND_BOUNDARY_STATE &&
            mime_info->boundary_state != MIME_PAF_BOUNDARY_UNKNOWN)
    {
        *fp = boundary_start;
        return true;
    }

    return false;
}


current logic says that when \n is found (means mime->info.data_state = MIME_PAF_BOUNDARY_LF) then if condition will be 
true (other two conditions are also true in this case) and flush point will be set. Now it is possible that \n 
character can be there in attachment data.

As per my logic when all three characters '\n--' should be there before setting flush point by this condition. This 
solution will perform proper flushing by paf function. Also this problem may be in smtp and imap as scanning_boundary 
function is common for them.

Regards,
Mitesh Jadia


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: