[Bro-Dev] [JIRA] (BIT-1203) Fixing SMTP state tracking in topic/robin/smtp-fix

Wed, 11 Jun 2014 15:22:32 -0700 

    [ 
https://bro-tracker.atlassian.net/browse/BIT-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16806#comment-16806
 ] 

Jon Siwek commented on BIT-1203:
--------------------------------

I think it seems fine now for what the scope of what the SMTP script current 
does: it's mostly concerned with tracking/logging the envelopes/header-fields 
created by the client, the server's last response is tracked/logged, but 
doesn't really factor in to any logic decisions, with the exception of any 
reply to '.' being a place to possibly flush/log the envelope/headers it's been 
tracking.

Q: Can pipelining disrupt Bro's tracking of envelopes/header-fields?
A: I don't think so because the protocol forces synchronization after DATA and 
Bro syncs up on either the next reply to '.' or the next MAIL signaling a new 
transaction.  Doesn't seem like there's any place for enveloper/header info to 
get mixed anymore.

Q: Can pipelining cause the logging of $last_reply field to wrong/different?
A: Consider the two places bro syncs up the logging: (1) after a reply to '.', 
we know the protocol is already synchronized, so the next reply seen should be 
the correct/best one to log. (2) On seeing  "MAIL FROM", but not having logged 
previous envelope/header info -- does seem like pipelining could cause the 
value of $last_reply to vary, but not sure that's different from the situation 
in which responses from the server may have been missed (though, maybe there's 
some distinguishing between the two situations that can be done).

Hope that helps explain my reasoning.

> Fixing SMTP state tracking in topic/robin/smtp-fix
> --------------------------------------------------
>
>                 Key: BIT-1203
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1203
>             Project: Bro Issue Tracker
>          Issue Type: Improvement
>          Components: Bro
>            Reporter: Robin Sommer
>            Assignee: Jon Siwek
>             Fix For: 2.3
>
>         Attachments: signature.asc
>
>
>  This fixes the case that an SMTP session has multiple mails sent from
>  the originator but we miss the server's response (e.g., because we
>  don't see server side packets at all).
> topic/robin/smtp-fix in bro and bro-testing-private



--
This message was sent by Atlassian JIRA
(v6.3-OD-06-017#6327)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to