id: starttls-mail-detect

info:
  name: STARTTLS Mail Server Detection
  author: r3dg33k,userdehghani
  severity: info
  description: |
    STARTTLS is an email protocol command that tells an email server that an email client, including an email client running in a web browser, wants to turn an existing insecure connection into a secure one.
  metadata:
    max-request: 1
  tags: mail,starttls,network,detect,smtp,detection,tcp

tcp:
  - inputs:
      - data: "65686c6f20636865636b746c730a"
        type: hex
    read-size: 2048

    host:
      - "{{Hostname}}"
    port: 25,2525,465,587

    matchers:
      - type: word
        words:
          - "250-STARTTLS"
# digest: 490a0046304402204b37a4e9c400baa603d1d777d160eeac4279601a3e981276b0f7e88d3c7a5a9002201a10d9786927c13bff604166197c57dacebb893e3766af579a7bdcb41c6ebcc8:922c64590222798bb761d5b6d8e72950