From patchwork Fri Feb  8 04:38:00 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 2072
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256
	bits)) (Client CN "mail01.ipfire.org",
	Issuer "Let's Encrypt Authority X3" (verified OK))
	by web07.i.ipfire.org (Postfix) with ESMTPS id 20BE385D3E5
	for <patchwork@web07.i.ipfire.org>;
	Thu,  7 Feb 2019 17:38:40 +0000 (GMT)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 43wQXH1GVzz5HDMt;
	Thu,  7 Feb 2019 17:38:39 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1549561119;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:mime-version:mime-version:
	content-type:content-type:
	content-transfer-encoding:content-transfer-encoding:in-reply-to:
	references:list-id:list-unsubscribe:list-subscribe:list-post;
	bh=UdpyQe4qgSjFHSjCBwee+CLNaIRwkD1bhi/yXLsVYeY=;
	b=HGM34LgSxJY+o5UTKG5fIR0RItB+aUkE5mOE4KJB6IRg1TmkCeUagZLpyTvrWL8HPyiHi6
	FEfdWscW3DSy40dUj4lkG43iqo3PM6mIih6jbeBFt5vRZ4XKTwLm7lcFTUnYDHCRO1XM1/
	RFwoibie75SuCVqR1suTop37TL9bLcyc8ed+auEF4gIa/yPZiSoX21cE3q+/vEfXftAoXo
	iP2mQBSGUp/Vbd9SB4adHuiTA/IwMqO5ec/RL8lP07NFohjvFOX+KbdGlHjf4K2C0tihlr
	NiNeUbmDjxx5BL3uRzTnY1OniwCN/WwjUMV0ZRzMtaJR5a+oyGeDq252o2+3XQ==
Received: from [127.0.0.1] (unknown [141.255.162.34])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 43wQXD35Sxz5HDLh
	for <development@lists.ipfire.org>;
	Thu,  7 Feb 2019 17:38:36 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1549561116;
	h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:mime-version:mime-version:
	content-type:content-type:
	content-transfer-encoding:content-transfer-encoding:in-reply-to:
	references; bh=UdpyQe4qgSjFHSjCBwee+CLNaIRwkD1bhi/yXLsVYeY=;
	b=Qw4o/wuJyr0T4lZ3TPADiEd9DUArtoEpsDj9wpSjp1SN0KV110MUrOx0xX9dxP4NP0GyJj
	9jvgavbDNeDGOPYaMmrliHzJvKGXGInH+6bbGxrgYPDLsvaHW2LwXzoNEsi/8S6Uz9WuJM
	wbFDLknh1f8cEHOFgW2CSz8pGXbHx5F4uzT7Rd9KsTfapctcuGHfeEOqRfTTcBb+ewPO8K
	awZ9SJc2v26a/PKOqTV2MdPMoTg/FZ/l7RANjOzyrDG3vm7pVnuMMrvo0bp9kpjQvAQAsZ
	EeLKf3Pum1Op8+EOaHzDrHPP0OgSUKlCL9Be9/440JAbhHESsmPGOxHdSC/1BQ==
To: "IPFire: Development-List" <development@lists.ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Organization: IPFire.org
Subject: [PATCH 1/3] Suricata: detect TLS traffic on IMAPS/POP3S/SSMTP ports
	as, well
Message-ID: <a90a64f1-cbfe-cd0b-af99-1e4b5989a4e0@ipfire.org>
Date: Thu, 07 Feb 2019 17:38:00 +0000
MIME-Version: 1.0
Content-Language: en-US
Authentication-Results: mail01.ipfire.org;
	auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org
X-Spamd-Result: default: False [-5.88 / 11.00]; ARC_NA(0.00)[];
	BAYES_HAM(-3.00)[100.00%]; FROM_HAS_DN(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
	RCPT_COUNT_ONE(0.00)[1]; HAS_ORG_HEADER(0.00)[];
	DKIM_SIGNED(0.00)[]; TO_DN_ALL(0.00)[];
	NEURAL_HAM(-2.78)[-0.926,0]; RCVD_COUNT_ZERO(0.00)[0];
	FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
	ASN(0.00)[asn:51852, ipnet:141.255.160.0/21, country:CH];
	MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]
X-Spam-Status: No, score=-5.88
X-Rspamd-Server: mail01.i.ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Partially fixes #11808

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
---
 config/suricata/suricata.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 48035a67e..dd7e53584 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -140,7 +140,7 @@ app-layer:
     tls:
       enabled: yes
       detection-ports:
-        dp: 443
+        dp: "[443,465,993,995]"
 
       # Completely stop processing TLS/SSL session after the handshake
       # completed. If bypass is enabled this will also trigger flow