SMTP service configuration
The binder
inspector defines the SMTP service
configuration.
For more information, see the Binder Inspector Overview.
Example:
[
{
"when": {
"service": "smtp",
"role": any
},
"use": {
"type": "smtp"
}
}
]
alt_max_command_line_len[]
Specifies an array of SMTP command and an alternate maximum line length for the command.
The alternate maximum line length overrides the value of the
max_command_line_len
for the SMTP command. You can enable rule 124:4 to generate
events for this parameter.
Type: array
Example:
{
"alt_max_command_line_len": [
{
"command": "AUTH",
"length": 240
}
]
}
alt_max_command_line_len[].length
Specifies an alternate maximum command line length. Specify 0
to disable
the detection of the command line length for a command.
Type: integer
Valid range:0
to 4,294,967,295 (max32)
Default value:
See SMTP Commands and Default Alternate Command Lengths.
Table 1. SMTP Commands and Default Alternate Command Lengths
Command
|
Length
|
ATRN
|
255
|
AUTH
|
246
|
BDAT
|
255
|
DATA
|
246
|
DEBUG
|
255
|
EHLO
|
500
|
EMAL
|
255
|
ESAM
|
255
|
ESND
|
255
|
ESOM
|
255
|
ETRN
|
500
|
EVFY
|
255
|
EXPN
|
255
|
HELO
|
500
|
HELP
|
500
|
IDENT
|
255
|
MAIL
|
260
|
NOOP
|
255
|
ONEX
|
246
|
QUEU
|
246
|
QUIT
|
246
|
RCPT
|
300
|
RSET
|
255
|
SAML
|
246
|
SEND
|
246
|
SIZE
|
255
|
SOML
|
246
|
STARTTLS
|
246
|
TICK
|
246
|
TIME
|
246
|
TURN
|
246
|
TURNME
|
246
|
VERB
|
246
|
VRFY
|
255
|
XADR
|
246
|
XAUTH
|
246
|
XCIR
|
246
|
XEXCH50
|
246
|
X-EXPS
|
246
|
XGEN
|
246
|
XLICENSE
|
246
|
X-LINK2STATE
|
246
|
XQUE
|
246
|
XSTA
|
246
|
XTRN
|
246
|
XUSR
|
246
|
auth_cmds
Specifies a list of SMTP commands that initiate the authentication exchange. Separate multiple SMTP commands with a space.
Type: string
Valid values: SMTP authentication exchange initiation commands
Default value:
AUTH XAUTH X-EXPS
b64_decode_depth
Specifies the maximum number of bytes to extract and decode from each Base64 encoded
MIME email attachment. You can specify an integer less than 65535, or specify 0 to disable
decoding. Specify -1 to place no limit on the number of bytes to decode.
You can enable rule 124:10 to generate events for this parameter, and in an inline
deployment, drop offending packets when decoding fails.
Type: integer
Valid range:
-1
to 65535
Default value: -1
binary_data_cmds
Specifies a list of SMTP commands that initiate sending data and use a
length value (in octets) after the command to indicate the amount of data to be
sent. Separate multiple SMTP commands with a space.
Type: string
Valid values: Valid SMTP data send initiation commands that use a data
length argument
Default value: BDATA XEXCH50
bitenc_decode_depth
Specifies the maximum number of bytes to extract from each non-encoded MIME
email attachment. You can specify an integer less than 65535, or specify 0 to disable the
extraction of the non-encoded MIME attachment.
Specify -1 to place no limit on the number of bytes to extract. These attachment types include
7-bit, 8-bit, binary, and various multipart content types such as plain text, JPEG and PNG
images, and MP4 files.
Type: integer
Valid range:
-1
to 65535
Default value: -1
data_cmds
Specifies a list of SMTP commands that initiate sending data and use an
end of data delimiter (<CRLF>.<CRLF>).
Type: string
Valid values: SMTP data send initiation command that uses an
end of data delimiter.
Default value:
DATA
decompress_pdf
Specifies whether to decompress application/pdf
(PDF) files
in MIME attachments.
Type: boolean
Valid values:
true
, false
Default value:
false
decompress_swf
Specifies whether to decompress application/vnd.adobe.flash-movie
(SWF) files
in MIME attachments.
Type: boolean
Valid values:
true
, false
Default value:
false
decompress_vba
Specifies whether to decompress Microsoft Office Visual Basic for Applications
macro files in MIME attachments.
Type: boolean
Valid values:
true
, false
Default value:
false
decompress_zip
Specifies whether to decompress application/zip
(ZIP) files
in MIME attachments.
Type: boolean
Valid values:
true
, false
Default value:
false
email_hdrs_log_depth
Specifies the number of bytes of the email header to extract from the SMTP data. Specify 0 to disable
extraction of the email header.
Type: integer
Valid range:
0
to 20480
Default value: 1464
ignore_data
Specifies whether to decode the email data section (except for MIME mail headers).
Type: boolean
Valid values:
true
, false
Default value:
false
ignore_tls_data
Specifies whether to decode TLS-encrypted data.
Type: boolean
Valid values:
true
, false
Default value:
false
log_email_hdrs
Specifies whether to decode and log the SMTP email header and all generated events for the session.
Type: boolean
Valid values:
true
, false
Default value:
false
log_filename
Specifies whether to decode and log the MIME attachment
filenames extracted from the Content-Disposition
header within the MIME body,
and all generated events for the session.
If the message contains multiple MIME attachments, the SMTP inspector logs the
filenames separated by a comma. The SMTP inspector logs no more than 1024 bytes.
Type: boolean
Valid values:
true
, false
Default value:
false
log_mailfrom
Specifies whether to decode and log the sender’s email
address extracted from the SMTP MAIL FROM
command,
and all generated events for the session.
If the message contains multiple senders, the SMTP inspector logs the senders
separated by a comma. The SMTP inspector logs no more than 1024 bytes.
Type: boolean
Valid values:
true
, false
Default value:
false
log_rcptto
Specifies whether to decode and log the recipient email
addresses from the SMTP RCPT TO
command, and all generated events for the session.
If the message contains multiple recipients, the SMTP inspector logs the recipients
separated by a comma. The SMTP inspector logs no more than 1024 bytes.
Type: boolean
Valid values:
true
, false
Default value:
false
max_auth_command_line_len
Specifies the maximum number of bytes accepted for the SMTP authentication command line.
You can enable rule 124:15 to generate events,
and in an inline deployment, drop offending packets. Specify 0 to disable alerts
on SMTP AUTH
commands, or omit max_auth_command_line_len
parameter from your Snort configuration.
Type: integer
Valid range:
0
to 65535
Default value: 1000
max_command_line_len
Specifies the maximum number of bytes accepted for the SMTP command line.
RFC 2821, the Network Working Group specification on SMTP,
recommends a maximum command line length of 512 bytes. Specify 0 to disable
alerts on SMTP command line length, or omit the max_command_line_len
parameter from your Snort configuration.
You can enable rule 124:1 to generate events, and in an inline deployment, drop offending packets.
Type: integer
Valid range:
0
to 65535
Default value: 512
max_header_line_len
Specifies the maximum number of bytes accepted for the SMTP data header line.
RFC 2821, the Network Working Group specification
on SMTP, recommends a maximum data header line length of 1024 bytes. Specify 0 to disable
alerts on SMTP data header line length, or omit the max_header_line_len
parameter from your Snort configuration.
You can enable rules 124:2 and 124:7 to
generate events, and in an inline deployment, drop offending packets.
Type: integer
Valid range:
0
to 65535
Default value: 1000
max_response_line_len
Specifies the maximum number of bytes accepted for the SMTP response line.
RFC 2821, the Network Working Group specification
on SMTP, recommends a maximum response line length of 512 bytes. Specify 0 to disable
alerts on SMTP response line length, or omit the max_response_line_len
parameter from your Snort configuration.
You can enable rules 124:3 to generate events, and in an inline deployment, drop offending packets.
Type: integer
Valid range:
0
to 65535
Default value: 512
normalize
Specifies whether to normalize all commands, no commands, or a list of
commands. You can specify the list of commands in the normalize_cmds
parameter.
The inspector checks for more than one space (ASCII 0x20) or tab (ASCII 0x09) character after a
command.
Type: enum
Valid values:
Default value:
none
normalize_cmds
Specifies a list of SMTP commands to normalize. Separate multiple SMTP commands with a space.
Type: string
Valid values: SMTP commands
Default value: None
qp_decode_depth
Specifies the maximum number of bytes to extract and decode from each
quoted-printable (QP) encoded MIME email attachment.
You can specify an integer less than 65535, or specify 0 to disable
decoding. Specify -1 to place no limit on the number of bytes to decode.
You can enable rule 124:11 to generate events, and in an inline
deployment, drop offending packets.
Type: integer
Valid range:
-1
to 65535
Default value: -1
uu_decode_depth
Specifies the maximum number of bytes to extract and decode from each
Unix-to-Unix encoded (uuencoded) MIME email attachment.
You can specify an integer less than 65535, or specify 0 to disable
decoding. Specify -1 to place no limit on the number of bytes to decode.
You can enable rule 124:13 to generate events for this parameter, and in an inline
deployment, drop offending packets when decoding fails (due to incorrect encoding or
corrupted data, for instance).
Type: integer
Valid range:
-1
to 65535
Default value: -1
valid_cmds
Specifies an additional list of SMTP commands which the SMTP inspector considers valid.
The SMTP inspector defines a list of default, valid SMTP commands: ATRN AUTH BDAT DATA DEBUG EHLO
EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT
RSET SAML SEND SIZE STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS
X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN
XUSR
.
You can enable rule 124:5 to generate events, and in an inline
deployment, drop offending packets.
Type: string
Valid values: SMTP commands
Default value: None
xlink2state
Specifies how the SMTP inspector handles packets that are part of X-Link2State Microsoft
Exchange buffer data overflow attacks (See CVE-2005-0560 for a description of the
vulnerability). You can disable detection (disable
),
enable detection and generate alerts (alert
), or enable detection
and drop the offending packets (drop
).
You can enable rule 124:8 to generate events for this parameter, and in an inline deployment, drop
offending packets.
Type: enum
Valid values:
Default value:
alert