From 14949941cefa407bc30c0656c54304354c45820d Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Mon, 11 Dec 2023 18:07:17 +0100 Subject: [PATCH 1/2] SMTP: Add BDAT support Closes #3264 --- scripts/base/init-bare.zeek | 7 + src/analyzer/protocol/smtp/BDAT.cc | 308 ++++++++++++++++++ src/analyzer/protocol/smtp/BDAT.h | 110 +++++++ src/analyzer/protocol/smtp/CMakeLists.txt | 2 + src/analyzer/protocol/smtp/Plugin.cc | 2 + src/analyzer/protocol/smtp/SMTP.cc | 99 +++++- src/analyzer/protocol/smtp/SMTP.h | 4 + src/analyzer/protocol/smtp/consts.bif | 1 + .../canonified_loaded_scripts.log | 1 + .../canonified_loaded_scripts.log | 1 + testing/btest/Baseline/plugins.hooks/output | 6 + .../conn.log.cut | 3 + .../out | 6 + .../smtp.log | 11 + .../conn.log.cut | 3 + .../files.log.cut | 4 + .../out | 32 ++ .../smtp.log | 11 + .../conn.log.cut | 3 + .../files.log.cut | 4 + .../out | 6 + .../smtp.log | 11 + .../conn.log.cut | 3 + .../scripts.base.protocols.smtp.bdat/out | 6 + .../scripts.base.protocols.smtp.bdat/smtp.log | 11 + .../Traces/smtp/rfc3030-bdat-0-last.pcap | Bin 0 -> 2545 bytes .../Traces/smtp/rfc3030-bdat-example1.pcap | Bin 0 -> 2797 bytes .../smtp/rfc3030-bdat-multipart-chunked.pcap | Bin 0 -> 19876 bytes .../Traces/smtp/rfc3030-bdat-multipart.pcap | Bin 0 -> 6339 bytes .../base/protocols/smtp/bdat-0-last.test | 16 + .../smtp/bdat-multipart-chunked.test | 19 ++ .../base/protocols/smtp/bdat-multipart.test | 19 ++ .../scripts/base/protocols/smtp/bdat.test | 15 + 33 files changed, 722 insertions(+), 2 deletions(-) create mode 100644 src/analyzer/protocol/smtp/BDAT.cc create mode 100644 src/analyzer/protocol/smtp/BDAT.h create mode 100644 src/analyzer/protocol/smtp/consts.bif create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.bdat-0-last/conn.log.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.bdat-0-last/out create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.bdat-0-last/smtp.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart-chunked/conn.log.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart-chunked/files.log.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart-chunked/out create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart-chunked/smtp.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart/conn.log.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart/files.log.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart/out create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart/smtp.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.bdat/conn.log.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.bdat/out create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.bdat/smtp.log create mode 100644 testing/btest/Traces/smtp/rfc3030-bdat-0-last.pcap create mode 100644 testing/btest/Traces/smtp/rfc3030-bdat-example1.pcap create mode 100644 testing/btest/Traces/smtp/rfc3030-bdat-multipart-chunked.pcap create mode 100644 testing/btest/Traces/smtp/rfc3030-bdat-multipart.pcap create mode 100644 testing/btest/scripts/base/protocols/smtp/bdat-0-last.test create mode 100644 testing/btest/scripts/base/protocols/smtp/bdat-multipart-chunked.test create mode 100644 testing/btest/scripts/base/protocols/smtp/bdat-multipart.test create mode 100644 testing/btest/scripts/base/protocols/smtp/bdat.test diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 0313d63ae5..95cc63ec78 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -362,6 +362,13 @@ module FTP; ## raise a FTP_max_command_length_exceeded weird and are discarded. const max_command_length = 100 &redef; +module SMTP; + +## The maximum line length within a BDAT chunk before a forceful linebreak +## is introduced and a weird is raised. Conventionally, MIME messages +## have a maximum line length of 1000 octest when properly encoded. +const bdat_max_line_length = 4096 &redef; + module GLOBAL; ## Statistics about what a TCP endpoint sent. diff --git a/src/analyzer/protocol/smtp/BDAT.cc b/src/analyzer/protocol/smtp/BDAT.cc new file mode 100644 index 0000000000..d51ab34ece --- /dev/null +++ b/src/analyzer/protocol/smtp/BDAT.cc @@ -0,0 +1,308 @@ +#include "zeek/analyzer/protocol/smtp/BDAT.h" + +#include "zeek/3rdparty/doctest.h" +#include "zeek/Conn.h" +#include "zeek/DebugLogger.h" +#include "zeek/analyzer/protocol/mime/MIME.h" +#include "zeek/util.h" + +namespace zeek::analyzer::smtp::detail { + + +struct BDATCmd parse_bdat_arg(int length, const char* arg) { + const char* arg_end = arg + length; + struct BDATCmd r = {0}; + + if ( *arg == '\0' || ! isdigit(*arg) ) { + r.error = "BDAT not followed by a valid chunk-size"; + return r; + } + + char* chunk_size_end = nullptr; + uint64_t chunk_size = strtoul(arg, &chunk_size_end, 10); + if ( *chunk_size_end != ' ' && chunk_size_end != arg_end ) { + r.error = "BDAT chunk-size not valid"; + return r; + } + + r.chunk_size = chunk_size; + r.is_last_chunk = strncasecmp(chunk_size_end, " LAST", 5) == 0; + return r; +} + + +SMTP_BDAT_Analyzer::SMTP_BDAT_Analyzer(Connection* conn, mime::MIME_Message* mail, size_t max_line_length) + : analyzer::Analyzer("SMTP_BDAT", conn), max_line_length(max_line_length), mail(mail) {} + +void SMTP_BDAT_Analyzer::NextChunk(ChunkType chunk_type, uint64_t chunk_size) { + DBG_LOG(DBG_ANALYZER, "BDAT: NextChunk size=%" PRIi64 " last=%d", chunk_size, chunk_type == ChunkType::Last); + assert(remaining_chunk_size == 0); + cur_chunk_type = chunk_type; + remaining_chunk_size = chunk_size; +} + +void SMTP_BDAT_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { + analyzer::Analyzer::DeliverStream(len, data, is_orig); + assert(mail != nullptr); + assert(! IsFinished()); + + // Upstream analyzer delivers more data than we're + // expecting for the current chunk. Likely a logic + // error on their side. Truncate it. + if ( len > RemainingChunkSize() ) { + Weird("smtp_bdat_chunk_overflow"); + len = static_cast(RemainingChunkSize()); + } + + // If the buffer ends with a cr and the new data doesn't start with lf + // or it's empty, deliver everything in the buffer, including the cr. + if ( ! buf.empty() && buf[buf.size() - 1] == '\r' ) { + if ( len == 0 || (len > 0 && data[0] != '\n') ) { + Weird("smtp_bdat_line_cr_only"); + mail->Deliver(buf.size(), buf.data(), false /*trailing_crlf*/); + buf.resize(0); + } + } + + // Start searching for crlf at the end of the old buffer. + std::string::size_type i = buf.size() - 1; + + buf.append(reinterpret_cast(data), len); + + std::string::size_type line_start = 0; + for ( i = 0; i < buf.size(); i++ ) { + if ( i < buf.size() - 1 && buf[i] == '\r' && buf[i + 1] == '\n' ) { + // Found a match, buf[line_start, i) is the line we want to Deliver() + buf[i] = '\0'; + buf[i + 1] = '\0'; + mail->Deliver(i - line_start, &buf[line_start], true /*trailing_crlf*/); + line_start = i + 2; + i += 1; + } + else if ( buf[i] == '\n' ) { + // There's only a lf without a preceding cr, deliver the + // line including the lf, but trailing_CRLF set as false. + Weird("smtp_bdat_line_lf_only"); + mail->Deliver(i - line_start + 1, &buf[line_start], false /*trailing_crlf*/); + line_start = i + 1; + } + else if ( i - line_start >= max_line_length ) { + Weird("smtp_bdat_line_too_long", zeek::util::fmt("%zu", buf.size())); + mail->Deliver(i - line_start, &buf[line_start], false /*trailing_crlf*/); + line_start = i; + } + } + + // Trim everything that was delivered (might be nothing). + buf.erase(0, line_start); + remaining_chunk_size -= len; + + // If this is the last chunk and all data was received, Flush any + // remaining data out now. Done() is called by the owner of mail. + if ( IsLastChunk() && RemainingChunkSize() == 0 && buf.size() > 0 ) { + mail->Deliver(buf.size(), buf.data(), false /*trailing_crlf*/); // Maybe this should be true? + buf.erase(); + } +} + +void SMTP_BDAT_Analyzer::Done() { + analyzer::Analyzer::Done(); + + // Anything still buffered? Unexpected, but deliver it. + if ( ! buf.empty() ) { + Weird("smtp_bdat_undelivered_at_done"); + mail->Deliver(buf.size(), buf.data(), false /*trailing_crlf*/); + buf.erase(); + } +} + +} // namespace zeek::analyzer::smtp::detail + + +#include "zeek/analyzer/Analyzer.h" +#include "zeek/analyzer/Manager.h" + +namespace { + +using zeek::analyzer::smtp::detail::parse_bdat_arg; + +TEST_SUITE_BEGIN("bdat command parsing"); + +TEST_CASE("last chunk") { + std::string line = "86 LAST"; + const auto& [chunk_size, is_last_chunk, error] = parse_bdat_arg(line.size(), line.c_str()); + CHECK(error == nullptr); + CHECK(chunk_size == 86); + CHECK(is_last_chunk == true); +} + +TEST_CASE("last chunk lower") { + std::string line = "86 last"; + const auto& [chunk_size, is_last_chunk, error] = parse_bdat_arg(line.size(), line.c_str()); + CHECK(error == nullptr); + CHECK(chunk_size == 86); + CHECK(is_last_chunk == true); +} + +TEST_CASE("intermediate chunk") { + std::string line = "86"; + const auto& [chunk_size, is_last_chunk, error] = parse_bdat_arg(line.size(), line.c_str()); + CHECK(error == nullptr); + CHECK(chunk_size == 86); + CHECK(is_last_chunk == false); +} + +TEST_CASE("intermediate chunk rn") { + std::string line = "86\r\n"; + const auto& [chunk_size, is_last_chunk, error] = parse_bdat_arg(line.size() - 2, line.c_str()); + CHECK(error == nullptr); + CHECK(chunk_size == 86); + CHECK(is_last_chunk == false); +} + +TEST_CASE("space pre chunk size") { + std::string line = " 86 LAST"; + const auto& [chunk_size, is_last_chunk, error] = parse_bdat_arg(line.size(), line.c_str()); + REQUIRE(error != nullptr); + CHECK(error == std::string("BDAT not followed by a valid chunk-size")); +} + +TEST_CASE("non-numeric chunk size") { + std::string line = "scramble LAST"; + const auto& [chunk_size, is_last_chunk, error] = parse_bdat_arg(line.size(), line.c_str()); + REQUIRE(error != nullptr); + CHECK(error == std::string("BDAT not followed by a valid chunk-size")); +} + +TEST_CASE("missing space post chunk size") { + std::string line = "86LAST"; + const auto& [chunk_size, is_last_chunk, error] = parse_bdat_arg(line.size(), line.c_str()); + REQUIRE(error != nullptr); + CHECK(error == std::string("BDAT chunk-size not valid")); +} + +TEST_SUITE_END(); + +TEST_SUITE_BEGIN("bdat line analyzer"); + +using zeek::analyzer::smtp::detail::ChunkType; +using zeek::analyzer::smtp::detail::SMTP_BDAT_Analyzer; + +namespace mime = zeek::analyzer::mime; + +/** + * Helper class to test Deliver() calls. + */ +class Test_MIME_Message : public mime::MIME_Message { +public: + Test_MIME_Message(zeek::analyzer::Analyzer* a) : MIME_Message(a) {} + + void Deliver(int len, const char* data, bool trailing_CRLF) override { + assert(len >= 0); + // std::printf("Deliver: '%s' trailing_CRLF=%d\n", data, trailing_CRLF); + deliver_calls.emplace_back(std::string{data, static_cast(len)}, trailing_CRLF); + } + + + // Noops, should not be called + void BeginEntity(mime::MIME_Entity* entity) override {} + void EndEntity(mime::MIME_Entity* entity) override {} + void SubmitHeader(mime::MIME_Header* h) override {} + void SubmitAllHeaders(mime::MIME_HeaderList& hlist) override {} + void SubmitData(int len, const char* buf) override {} + bool RequestBuffer(int* plen, char** pbuf) override { return false; } + void SubmitAllData() {} + void SubmitEvent(int event_type, const char* detail) override {} + + const auto& DeliverCalls() { return deliver_calls; } + +private: + std::vector> deliver_calls; +}; + +TEST_CASE("line forward testing") { + zeek::Packet p; + zeek::ConnTuple t; + auto conn = std::make_unique(zeek::detail::ConnKey(t), 0, &t, 0, &p); + auto smtp_analyzer = + std::unique_ptr(zeek::analyzer_mgr->InstantiateAnalyzer("SMTP", conn.get())); + auto mail = std::make_unique(smtp_analyzer.get()); + auto bdat = std::make_unique(conn.get(), mail.get(), 128 /* max line length*/); + + auto deliver_all = [](const auto& ds, auto& bdat) { + for ( const auto& d : ds ) + bdat->NextStream(d.size(), reinterpret_cast(d.data()), true /*is_orig, irrelevant*/); + }; + + auto total_size = [](const auto& ds) { + uint64_t r = 0; + for ( const auto& d : ds ) + r += d.size(); + + return r; + }; + + // Helpers for type deduction. + std::vector deliveries; + std::vector> expected; + + SUBCASE("test two lines split in four") { + deliveries = {"MIME-", "Version: 1.0\r\n", "Subject: Zeek", " Logo\r\n"}; + bdat->NextChunk(ChunkType::Last, total_size(deliveries)); + deliver_all(deliveries, bdat); + + expected = {{"MIME-Version: 1.0", true}, {"Subject: Zeek Logo", true}}; + CHECK(mail->DeliverCalls() == expected); + } + + SUBCASE("split on cr") { + deliveries = {"MIME-", "Version: 1.0\r", "\nSubject: Zeek", " Logo\r", "\n"}; + bdat->NextChunk(ChunkType::Last, total_size(deliveries)); + deliver_all(deliveries, bdat); + + expected = {{"MIME-Version: 1.0", true}, {"Subject: Zeek Logo", true}}; + CHECK(mail->DeliverCalls() == expected); + } + + SUBCASE("cr without lf") { + // Currently, when there's just a \r, will deliver including the cr + deliveries = {"MIME-Version: 1.0\r", "Subject: Zeek", " Logo\r\n"}; + bdat->NextChunk(ChunkType::Last, total_size(deliveries)); + deliver_all(deliveries, bdat); + + expected = {{"MIME-Version: 1.0\r", false}, {"Subject: Zeek Logo", true}}; + CHECK(mail->DeliverCalls() == expected); + } + + SUBCASE("lf without cr") { + // When a line ends only with lf, will deliver it, but including the lf + deliveries = {"MIME-Version: 1.0\n", "Subject: Zeek", " Logo\n", "From: Zeek \r\n"}; + bdat->NextChunk(ChunkType::Last, total_size(deliveries)); + deliver_all(deliveries, bdat); + + expected = {{"MIME-Version: 1.0\n", false}, + {"Subject: Zeek Logo\n", false}, + {"From: Zeek ", true}}; + CHECK(mail->DeliverCalls() == expected); + } + + SUBCASE("max_line_length 10") { + bdat->Done(); // Assertion prevention. + bdat = std::make_unique(conn.get(), mail.get(), 10 /* max line length*/); + deliveries = {"1234567890123: 45\r\n", "X-Test: Y\r\n"}; + bdat->NextChunk(ChunkType::Last, total_size(deliveries)); + deliver_all(deliveries, bdat); + + expected = {{"1234567890", false}, {"123: 45", true}, {"X-Test: Y", true}}; + CHECK(mail->DeliverCalls() == expected); + } + + // Proper cleanup to avoid assertions + bdat->Done(); + mail->Done(); + smtp_analyzer->Done(); + conn->Done(); +} + +TEST_SUITE_END(); +} // namespace diff --git a/src/analyzer/protocol/smtp/BDAT.h b/src/analyzer/protocol/smtp/BDAT.h new file mode 100644 index 0000000000..bbee3f3ef6 --- /dev/null +++ b/src/analyzer/protocol/smtp/BDAT.h @@ -0,0 +1,110 @@ +// See the file "COPYING" in the main distribution directory for copyright. +#pragma once + +#include + +#include "zeek/Conn.h" +#include "zeek/analyzer/Analyzer.h" + +namespace zeek::analyzer { + +namespace mime { +class MIME_Message; +} + +namespace smtp { + +class SMTP_Analyzer; + +namespace detail { + +/** + * Parsed from a BDAT argument. + * + * If error is non-nil, parsing failed. + */ +struct BDATCmd { + uint64_t chunk_size = 0; + bool is_last_chunk = false; + const char* error = nullptr; +}; + +/** + * Helper to parse a BDAT argument. + * + * @param length Length of arg + * @param arg String following the "BDAT " part of the line. + */ +struct BDATCmd parse_bdat_arg(int length, const char* arg); + +/** + * The type of a BDAT chunk. + * + * Helper class to avoid true/false parameters. + */ +enum class ChunkType { + None, + Intermediate, + Last, +}; + +/** + * An analyzer to consume BDAT data. + * + * Yes, this is basically a small ContentLineAnalyzer, but instead + * of being hooked up as a SupportAnalyzer and assumes TCP, too, + * this directly forwards chunks into a MIME_Message instance. It's + * also BDAT chunk aware and knows when a chunk should have completed. + */ +class SMTP_BDAT_Analyzer : public zeek::analyzer::Analyzer { +public: + /** + * Constructor. + * + * @param conn The connection over which data is transferred. + * @param mail The MIME_Message to deliver lines to. + * @param max_line_length Maximum line length before forcefully delivering. + */ + SMTP_BDAT_Analyzer(zeek::Connection* conn, mime::MIME_Message* mail, size_t max_line_length); + + /** + * Setup state for the next BDAT chunk. + * + * @param chunk_size The size in octest of the next chunk. + * @param chunk_type Whether this is the last or an intermediate chunk. + */ + void NextChunk(smtp::detail::ChunkType chunk_type, uint64_t chunk_size); + + /** + * @see Analyzer::DeliverStream() + */ + void DeliverStream(int len, const u_char* data, bool is_orig) override; + + /** + * @see Analyzer::DeliverStream() + */ + void Done() override; + + /** + * @return The remaining size of the current chunk. + */ + int64_t RemainingChunkSize() const { return remaining_chunk_size; } + + /** + * @return true if the current chunk was started with LAST. + */ + bool IsLastChunk() const { return cur_chunk_type == ChunkType::Last; } + +private: + ChunkType cur_chunk_type = ChunkType::None; + uint64_t remaining_chunk_size = 0; + std::string buf; + + size_t max_line_length = 0; + + mime::MIME_Message* mail; // owned by SMTP analyzer. +}; + +} // namespace detail +} // namespace smtp +} // namespace zeek::analyzer diff --git a/src/analyzer/protocol/smtp/CMakeLists.txt b/src/analyzer/protocol/smtp/CMakeLists.txt index b302045985..88fb237e94 100644 --- a/src/analyzer/protocol/smtp/CMakeLists.txt +++ b/src/analyzer/protocol/smtp/CMakeLists.txt @@ -3,7 +3,9 @@ zeek_add_plugin( SMTP SOURCES SMTP.cc + BDAT.cc Plugin.cc BIFS + consts.bif events.bif functions.bif) diff --git a/src/analyzer/protocol/smtp/Plugin.cc b/src/analyzer/protocol/smtp/Plugin.cc index 306a6ce03c..b27747f2e3 100644 --- a/src/analyzer/protocol/smtp/Plugin.cc +++ b/src/analyzer/protocol/smtp/Plugin.cc @@ -3,6 +3,7 @@ #include "zeek/plugin/Plugin.h" #include "zeek/analyzer/Component.h" +#include "zeek/analyzer/protocol/smtp/BDAT.h" #include "zeek/analyzer/protocol/smtp/SMTP.h" namespace zeek::plugin::detail::Zeek_SMTP { @@ -11,6 +12,7 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { AddComponent(new zeek::analyzer::Component("SMTP", zeek::analyzer::smtp::SMTP_Analyzer::Instantiate)); + AddComponent(new zeek::analyzer::Component("SMTP_BDAT", nullptr)); zeek::plugin::Configuration config; config.name = "Zeek::SMTP"; diff --git a/src/analyzer/protocol/smtp/SMTP.cc b/src/analyzer/protocol/smtp/SMTP.cc index 1b930fdb6d..6ba7838f31 100644 --- a/src/analyzer/protocol/smtp/SMTP.cc +++ b/src/analyzer/protocol/smtp/SMTP.cc @@ -10,6 +10,8 @@ #include "zeek/NetVar.h" #include "zeek/Reporter.h" #include "zeek/analyzer/Manager.h" +#include "zeek/analyzer/protocol/smtp/BDAT.h" +#include "zeek/analyzer/protocol/smtp/consts.bif.h" #include "zeek/analyzer/protocol/smtp/events.bif.h" #undef SMTP_CMD_DEF @@ -117,6 +119,29 @@ void SMTP_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { // NOTE: do not use IsOrig() here, because of TURN command. bool is_sender = orig_is_sender ? orig : ! orig; + if ( is_sender && bdat ) { + // We're processing BDAT and have switched the ContentLine analyzer + // into plain mode to send us the full chunk. Ensure we only use up + // as much as we need in case we get more. + int64_t bdat_len = std::min(bdat->RemainingChunkSize(), static_cast(length)); + if ( bdat->RemainingChunkSize() > 0 ) + bdat->NextStream(bdat_len, line, orig); + + // All BDAT chunks seen? + if ( bdat->IsLastChunk() && bdat->RemainingChunkSize() == 0 ) + UpdateState(detail::SMTP_CMD_END_OF_DATA, 0, orig); + + line += bdat_len; + length -= bdat_len; + assert(length >= 0); + + // Anything left? Usually the remainder is zero as we're doing + // plain delivery. However, a "BDAT 0 LAST" empty chunk isn't + // delivered by the ContentLineAnalyzer. + if ( length == 0 ) + return; + } + #if 0 ### if ( line[length] != '\r' || line[length+1] != '\n' ) @@ -173,8 +198,8 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig) { expect_recver = true; } - else if ( state == detail::SMTP_IN_DATA ) { - // Check "." for end of data. + else if ( state == detail::SMTP_IN_DATA && ! bdat ) { + // Check "." for end of data for non-BDAT transfers. expect_recver = false; // ?? MAY server respond to mail data? if ( line[0] == '.' ) @@ -238,6 +263,40 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig) { RequestEvent(cmd_len, cmd, data_len, line); } + // For the BDAT command, parse out the chunk-size from the line + // and switch the ContentLineAnalyzer into plain delivery mode + // assuming things look valid. + if ( cmd_code == detail::SMTP_CMD_BDAT ) { + const auto [chunk_size, is_last_chunk, error] = detail::parse_bdat_arg(end_of_line - line, line); + if ( ! error ) { + assert(chunk_size >= 0); + auto* cl = orig ? cl_orig : cl_resp; + cl->SetPlainDelivery(chunk_size); + + if ( ! bdat ) { + assert(! mail); + // This is the first BDAT chunk. + BeginData(orig); + bdat = std::make_unique(Conn(), mail, + zeek::BifConst::SMTP::bdat_max_line_length); + } + + bdat->NextChunk(is_last_chunk ? detail::ChunkType::Last : detail::ChunkType::Intermediate, + chunk_size); + } + else { + AnalyzerViolation(error, line, length); + } + } + else if ( bdat ) { + // Non-BDAT command from client but still have BDAT state, + // close it out. This can happen when a client started to + // send BDAT chunks, but starts sending other commands without + // a last BDAT chunk. + Weird("smtp_missing_bdat_last_chunk"); + EndData(); + } + if ( cmd_code != detail::SMTP_CMD_END_OF_DATA ) UpdateState(cmd_code, 0, orig); } @@ -540,6 +599,37 @@ void SMTP_Analyzer::UpdateState(int cmd_code, int reply_code, bool orig) { } break; + case detail::SMTP_CMD_BDAT: + switch ( reply_code ) { + case 0: + if ( state != detail::SMTP_RCPT_OK ) + UnexpectedCommand(cmd_code, reply_code); + + assert(bdat); + state = detail::SMTP_IN_DATA; + break; + + case 250: break; // server accepted BDAT transfer. + + case 421: state = detail::SMTP_QUIT; break; + + case 500: + case 501: + case 503: + case 451: + case 554: + // Client may continue sending chunks if pipelined. We don't + // call EndData() here as it might be interesting what the + // client does send, even if the server isn't accepting it. + break; + + default: + UnexpectedReply(cmd_code, reply_code); + // Chunks might still be in-flight. See above. + break; + } + break; + case detail::SMTP_CMD_END_OF_DATA: switch ( reply_code ) { case 0: @@ -789,6 +879,11 @@ void SMTP_Analyzer::BeginData(bool orig) { } void SMTP_Analyzer::EndData() { + if ( bdat ) { + bdat->Done(); + bdat.reset(); + } + if ( ! mail ) Weird("smtp_unmatched_end_of_data"); else { diff --git a/src/analyzer/protocol/smtp/SMTP.h b/src/analyzer/protocol/smtp/SMTP.h index 91cad1e898..d93c110666 100644 --- a/src/analyzer/protocol/smtp/SMTP.h +++ b/src/analyzer/protocol/smtp/SMTP.h @@ -14,6 +14,8 @@ namespace zeek::analyzer::smtp { namespace detail { +class SMTP_BDAT_Analyzer; + enum SMTP_Cmd { #include "SMTP_cmd.def" }; @@ -83,6 +85,8 @@ protected: String* line_after_gap; // last line before the first reply // after a gap + std::unique_ptr bdat; // if set, BDAT chunk transfer active + analyzer::mime::MIME_Mail* mail; private: diff --git a/src/analyzer/protocol/smtp/consts.bif b/src/analyzer/protocol/smtp/consts.bif new file mode 100644 index 0000000000..379887d5d5 --- /dev/null +++ b/src/analyzer/protocol/smtp/consts.bif @@ -0,0 +1 @@ +const SMTP::bdat_max_line_length: count; diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 0bdbda72a4..37b0ea5102 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -229,6 +229,7 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_SMB.events.bif.zeek build/scripts/base/bif/plugins/Zeek_SMB.consts.bif.zeek build/scripts/base/bif/plugins/Zeek_SMB.types.bif.zeek + build/scripts/base/bif/plugins/Zeek_SMTP.consts.bif.zeek build/scripts/base/bif/plugins/Zeek_SMTP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_SMTP.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_SNMP.events.bif.zeek diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 29feb83dfb..18aacdd010 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -229,6 +229,7 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_SMB.events.bif.zeek build/scripts/base/bif/plugins/Zeek_SMB.consts.bif.zeek build/scripts/base/bif/plugins/Zeek_SMB.types.bif.zeek + build/scripts/base/bif/plugins/Zeek_SMTP.consts.bif.zeek build/scripts/base/bif/plugins/Zeek_SMTP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_SMTP.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_SNMP.events.bif.zeek diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 33c34f0daf..f40858f96c 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -441,6 +441,7 @@ 0.000000 MetaHookPost LoadFile(0, ./Zeek_SMB.smb2_com_write.bif.zeek, <...>/Zeek_SMB.smb2_com_write.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_SMB.smb2_events.bif.zeek, <...>/Zeek_SMB.smb2_events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_SMB.types.bif.zeek, <...>/Zeek_SMB.types.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, ./Zeek_SMTP.consts.bif.zeek, <...>/Zeek_SMTP.consts.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_SMTP.events.bif.zeek, <...>/Zeek_SMTP.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_SMTP.functions.bif.zeek, <...>/Zeek_SMTP.functions.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_SNMP.events.bif.zeek, <...>/Zeek_SNMP.events.bif.zeek) -> -1 @@ -728,6 +729,7 @@ 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb2_com_write.bif.zeek, <...>/Zeek_SMB.smb2_com_write.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb2_events.bif.zeek, <...>/Zeek_SMB.smb2_events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.types.bif.zeek, <...>/Zeek_SMB.types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMTP.consts.bif.zeek, <...>/Zeek_SMTP.consts.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMTP.events.bif.zeek, <...>/Zeek_SMTP.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMTP.functions.bif.zeek, <...>/Zeek_SMTP.functions.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SNMP.events.bif.zeek, <...>/Zeek_SNMP.events.bif.zeek) -> (-1, ) @@ -1363,6 +1365,7 @@ 0.000000 MetaHookPre LoadFile(0, ./Zeek_SMB.smb2_com_write.bif.zeek, <...>/Zeek_SMB.smb2_com_write.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_SMB.smb2_events.bif.zeek, <...>/Zeek_SMB.smb2_events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_SMB.types.bif.zeek, <...>/Zeek_SMB.types.bif.zeek) +0.000000 MetaHookPre LoadFile(0, ./Zeek_SMTP.consts.bif.zeek, <...>/Zeek_SMTP.consts.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_SMTP.events.bif.zeek, <...>/Zeek_SMTP.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_SMTP.functions.bif.zeek, <...>/Zeek_SMTP.functions.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_SNMP.events.bif.zeek, <...>/Zeek_SNMP.events.bif.zeek) @@ -1650,6 +1653,7 @@ 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb2_com_write.bif.zeek, <...>/Zeek_SMB.smb2_com_write.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb2_events.bif.zeek, <...>/Zeek_SMB.smb2_events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.types.bif.zeek, <...>/Zeek_SMB.types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMTP.consts.bif.zeek, <...>/Zeek_SMTP.consts.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMTP.events.bif.zeek, <...>/Zeek_SMTP.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMTP.functions.bif.zeek, <...>/Zeek_SMTP.functions.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SNMP.events.bif.zeek, <...>/Zeek_SNMP.events.bif.zeek) @@ -2284,6 +2288,7 @@ 0.000000 | HookLoadFile ./Zeek_SMB.smb2_com_write.bif.zeek <...>/Zeek_SMB.smb2_com_write.bif.zeek 0.000000 | HookLoadFile ./Zeek_SMB.smb2_events.bif.zeek <...>/Zeek_SMB.smb2_events.bif.zeek 0.000000 | HookLoadFile ./Zeek_SMB.types.bif.zeek <...>/Zeek_SMB.types.bif.zeek +0.000000 | HookLoadFile ./Zeek_SMTP.consts.bif.zeek <...>/Zeek_SMTP.consts.bif.zeek 0.000000 | HookLoadFile ./Zeek_SMTP.events.bif.zeek <...>/Zeek_SMTP.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_SMTP.functions.bif.zeek <...>/Zeek_SMTP.functions.bif.zeek 0.000000 | HookLoadFile ./Zeek_SNMP.events.bif.zeek <...>/Zeek_SNMP.events.bif.zeek @@ -2571,6 +2576,7 @@ 0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_write.bif.zeek <...>/Zeek_SMB.smb2_com_write.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_events.bif.zeek <...>/Zeek_SMB.smb2_events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_SMB.types.bif.zeek <...>/Zeek_SMB.types.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMTP.consts.bif.zeek <...>/Zeek_SMTP.consts.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_SMTP.events.bif.zeek <...>/Zeek_SMTP.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_SMTP.functions.bif.zeek <...>/Zeek_SMTP.functions.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_SNMP.events.bif.zeek <...>/Zeek_SNMP.events.bif.zeek diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-0-last/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-0-last/conn.log.cut new file mode 100644 index 0000000000..6199830a5a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-0-last/conn.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid id.orig_h id.orig_p id.resp_h id.resp_p service duration +CHhAvVGS1DHFjwGM9 127.0.0.1 40864 127.0.0.1 25 smtp 0.414217 diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-0-last/out b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-0-last/out new file mode 100644 index 0000000000..c1d6eca389 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-0-last/out @@ -0,0 +1,6 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +CHhAvVGS1DHFjwGM9, T, EHLO, localhost +CHhAvVGS1DHFjwGM9, T, MAIL, FROM: +CHhAvVGS1DHFjwGM9, T, RCPT, TO: +CHhAvVGS1DHFjwGM9, T, BDAT, 0 LAST +CHhAvVGS1DHFjwGM9, T, QUIT, diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-0-last/smtp.log b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-0-last/smtp.log new file mode 100644 index 0000000000..5f6c652ff4 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-0-last/smtp.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path smtp +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth helo mailfrom rcptto date from to cc reply_to msg_id in_reply_to subject x_originating_ip first_received second_received last_reply path user_agent tls fuids +#types time string addr port addr port count string string set[string] string string set[string] set[string] string string string string addr string string string vector[addr] string bool vector[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40864 127.0.0.1 25 1 localhost zeek@localhost root@localhost - - - - - - - - - - - 221 2.0.0 Bye 127.0.0.1,127.0.0.1 - F (empty) +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart-chunked/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart-chunked/conn.log.cut new file mode 100644 index 0000000000..1c39bad5c2 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart-chunked/conn.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid id.orig_h id.orig_p id.resp_h id.resp_p service duration +CHhAvVGS1DHFjwGM9 127.0.0.1 38718 127.0.0.1 25 smtp 2.832130 diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart-chunked/files.log.cut b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart-chunked/files.log.cut new file mode 100644 index 0000000000..376324ab23 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart-chunked/files.log.cut @@ -0,0 +1,4 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid fuid source depth mime_type filename sha1 +CHhAvVGS1DHFjwGM9 F92xQs2qVTQbHLB0k3 SMTP 2 text/plain - 5cd7c323275d114627acbae92abc666d4335c8bb +CHhAvVGS1DHFjwGM9 FT8Wo02dSqdPNsIf3c SMTP 3 image/png zeek-logo.png e9a752f145e10688ab485277a723ecbcfb5c8a63 diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart-chunked/out b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart-chunked/out new file mode 100644 index 0000000000..dd777f665a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart-chunked/out @@ -0,0 +1,32 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +CHhAvVGS1DHFjwGM9, T, EHLO, localhost +CHhAvVGS1DHFjwGM9, T, MAIL, FROM: +CHhAvVGS1DHFjwGM9, T, RCPT, TO: +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 129 +CHhAvVGS1DHFjwGM9, T, BDAT, 106 LAST +CHhAvVGS1DHFjwGM9, T, QUIT, diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart-chunked/smtp.log b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart-chunked/smtp.log new file mode 100644 index 0000000000..49f5f7e0b0 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart-chunked/smtp.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path smtp +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth helo mailfrom rcptto date from to cc reply_to msg_id in_reply_to subject x_originating_ip first_received second_received last_reply path user_agent tls fuids +#types time string addr port addr port count string string set[string] string string set[string] set[string] string string string string addr string string string vector[addr] string bool vector[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 38718 127.0.0.1 25 1 localhost zeek@localhost root@localhost Tue, 12 Dec 2023 17:37:16 +0100 Arne Welzel Arne Welzel - - - Zeek Logo - - - 221 2.0.0 Bye 127.0.0.1,127.0.0.1 - F F92xQs2qVTQbHLB0k3,FT8Wo02dSqdPNsIf3c +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart/conn.log.cut new file mode 100644 index 0000000000..727ae9c742 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart/conn.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid id.orig_h id.orig_p id.resp_h id.resp_p service duration +CHhAvVGS1DHFjwGM9 127.0.0.1 38848 127.0.0.1 25 smtp 0.393711 diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart/files.log.cut b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart/files.log.cut new file mode 100644 index 0000000000..89ea77854c --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart/files.log.cut @@ -0,0 +1,4 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid source depth mime_type filename sha1 +CHhAvVGS1DHFjwGM9 SMTP 2 text/plain - 5cd7c323275d114627acbae92abc666d4335c8bb +CHhAvVGS1DHFjwGM9 SMTP 3 image/png zeek-logo.png e9a752f145e10688ab485277a723ecbcfb5c8a63 diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart/out b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart/out new file mode 100644 index 0000000000..c0b0a71df9 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart/out @@ -0,0 +1,6 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +CHhAvVGS1DHFjwGM9, T, EHLO, localhost +CHhAvVGS1DHFjwGM9, T, MAIL, FROM: +CHhAvVGS1DHFjwGM9, T, RCPT, TO: +CHhAvVGS1DHFjwGM9, T, BDAT, 3460 LAST +CHhAvVGS1DHFjwGM9, T, QUIT, diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart/smtp.log b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart/smtp.log new file mode 100644 index 0000000000..218ba3db1e --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-multipart/smtp.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path smtp +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth helo mailfrom rcptto date from to cc reply_to msg_id in_reply_to subject x_originating_ip first_received second_received last_reply path user_agent tls fuids +#types time string addr port addr port count string string set[string] string string set[string] set[string] string string string string addr string string string vector[addr] string bool vector[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 38848 127.0.0.1 25 1 localhost zeek@localhost root@localhost Tue, 12 Dec 2023 17:37:16 +0100 Arne Welzel Arne Welzel - - - Zeek Logo - - - 221 2.0.0 Bye 127.0.0.1,127.0.0.1 - F FemNmn1XNlVbnEe4u3,FWMIGN1fQdGfq0zsg1 +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat/conn.log.cut new file mode 100644 index 0000000000..0646c10bf5 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat/conn.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid id.orig_h id.orig_p id.resp_h id.resp_p service duration +CHhAvVGS1DHFjwGM9 127.0.0.1 52210 127.0.0.1 25 smtp 0.461731 diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat/out b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat/out new file mode 100644 index 0000000000..71716fae66 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat/out @@ -0,0 +1,6 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +CHhAvVGS1DHFjwGM9, T, EHLO, localhost +CHhAvVGS1DHFjwGM9, T, MAIL, FROM: +CHhAvVGS1DHFjwGM9, T, RCPT, TO: +CHhAvVGS1DHFjwGM9, T, BDAT, 86 LAST +CHhAvVGS1DHFjwGM9, T, QUIT, diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat/smtp.log b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat/smtp.log new file mode 100644 index 0000000000..a3894d7025 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat/smtp.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path smtp +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth helo mailfrom rcptto date from to cc reply_to msg_id in_reply_to subject x_originating_ip first_received second_received last_reply path user_agent tls fuids +#types time string addr port addr port count string string set[string] string string set[string] set[string] string string string string addr string string string vector[addr] string bool vector[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 52210 127.0.0.1 25 1 localhost zeek@localhost root@localhost - Sam@random.com Susan@random.com - - - - This is a bodyless test message - - - 221 2.0.0 Bye 127.0.0.1,127.0.0.1 - F (empty) +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/smtp/rfc3030-bdat-0-last.pcap b/testing/btest/Traces/smtp/rfc3030-bdat-0-last.pcap new file mode 100644 index 0000000000000000000000000000000000000000..6ea54a7fe66d9ab61cc8a850893f1589950c57ab GIT binary patch literal 2545 zcmaKsUrbwd6vuyMEnpc@Ow46(H)AIL30STmlMzDy-0jx>rM-PoLTKk*Twtpk%ye1- z6O+M~EM^ZTZV#}BnT4>axVdDDiOF=zMCYHG8qNMPjb#rm>WG=9c+R=^cXR8?J;_Pn zwtUX_d=Bm9^K(b5n3M5ZSz*ipzg*sz(=vTd_8k0-ZLL}+GuEYi*28+L|NLtV{s4Pw znyowkZ(9i8IbC({&ZT+As+_J<&Z=5>DgWE2_}sB(O%0NF*^(JUa@Sc-X6vS=-TT+S z4)pN!!=;Hcg>o{|IXMqxA56lw7G-WzE>PxwIN8V?2KwmuLyqOeXCR|P&x=&d>O1aa zI{}4lEg}vGvq;>q#EC}MQOr8t=qQc7Z4wJelq8R+<M=Nc=eKVhLCT+gh|w zK>31*#frp6$MP#ba$*s$T9B1+OdQH?O%J^UJLs7gVZ!Q}g%dd8(MR|M!`KWM>x0at zo7=1tie%x+ZWsFr!eU#CGA{@x=?3|VM7Y7lUrb_MDPMF;?Ve`K4eIGZJQ$b5!DukL zMgKh+d|nn?JyM$oN`EA)iKy|S>P@I>IB7hOD&DAH4kT5tno9a(0oizAqc5mNf)QDN zTOi5*8cv>4H*ciJqF+fxLo^nza~n2Y-JLQ|*ZG@oYTUcey}!u^?(W|Bp={GSB!0iC zn)QP;Y-^FbxN?z*KUX9+I_~zaHHqEet}fyYhQ-Z^SfsP-RZSc0F;CyE-~NfAY8Hnv z*w&(HKH)vOy^BxNZ{OsD+vo7pa`3u2Ed>NTnlbg(06EJI(+i5rLTmZg}ov&z@|9@j20z3U^=lWzBe**1X zSzpUypat7nWXG#~O~hY$V#Bvi1UvZ!lXwmiPxt~}RrH8qZ&KCIIr~YiO<>^z64Jo& zhLC;`GKF6i*UYcC;w`|R!@%l|2Ur%8Vq1#>r-eBrZdj~H1jTbJJn&L85_QEM`UmWU zTBem-bjlp=E3tS>!fAH~!uPL~|0ldI9mv#J7 zGcI)SxSJ`k3AVLpp-$x+BHpe@gbQ>un8blneyO=P6*SbJ0PgBZg%3&ngPd!qKLF~F zq57+Dm2n3!>Css?>xGEe)}o|-;S{M~sYnF%9Ze=N4M_(isTDr^sNT0%)8(Fq0joz= zz9kiR_y9xhF_3#0cOG)A7cB?_lWLOmxM5)PAu29S_1BW92|c+xiGca-sW kPPAk^GTs0g-@KnVX-gD7qKs=f(a3lNGQLZPdaa!JA91jl_y7O^ literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/smtp/rfc3030-bdat-example1.pcap b/testing/btest/Traces/smtp/rfc3030-bdat-example1.pcap new file mode 100644 index 0000000000000000000000000000000000000000..45689a992891ee4125cfc442cb9b5f022b9acf03 GIT binary patch literal 2797 zcmaKuUrbwd6vuzJWw?4h;g?K_a|mrWmfC=!w1rk_>Dt@Gti-K_t3xQA6e27J zG2%p21`iCA{RvB&Y>P`w3}$f;N&;_FA8--Zi5sqrvBkJ7V~`~l&-vZ^ySsJep7bQ` zukGi2zu$9v)2lPzo;8pH!fRuL5CL91H`FVgx?D_Nhv(SZ+DhDnRHy!^CAEbU3m?K4 zu&+EIrG3NKPT(ge4Ug}e&k$lL*fLdM*lNo5lNmf0jK*h>{IxEb5F}S$=44WO<$>q= zi@yPVVsb}z=tmH!B_o}azXNg|Ov2U{)4Vsez%*w#SgX2-#zEDsdKxR;!sxz0vrQ4ymFg5vT5uPYlpN zBH8_RTQ7adCB@pJos|v#@U9{gPM?J7I)46Ses1yUPyCb_nICJ;^x5ZucoA?xFoLZu z=Es$~!H9Eti6z3L{xX%g27YGUp2jBHk!Xo_90m_XCYFi3 z=Rk9IWh!UF8WKwz2uXujY;7^kKShR+c=K#tBJ5ypk4jtz&1=>w^DCMi6q)cK;0?GN zy?(F1L4Fx!lSdwmPrq z^ZMNK$6O))ZCH6&thcda>hy&DZ?LiG)CNvB&n|V7ZD)}?RrY<(bG_^&WVgDqGso#V z603^^@)m@Ktu2;aAhpPdvw4Xn!s?p`I8oRQ*{%B=-bPvx!!PXX=Ru}nLtT29#2Y312|VK*#>S}QCSX4=#)^S=SUPCkDz zH#az6$!7-gxq$iH8O!09V?OQI1kwyrv9-k%`%|~_<|7j!pP>zvcn}nq2b}?ticR+F zu0*2ysdP?dbkiAT>Fna_m2@sZIt!T2=y`Qk3}zkV=~Sudd=Gq`bTZ7#|L@ofkj^Dc zXZhb8ehkwwT{P(IGquEszi`D$-ZBx=iN2r`$3bzd&gBrPZ69rPghY9tgF&N?;>hPL zk$s%6BytH7xrg_P<*>@12L3oIJ`cpNV3F9`V*4CU-DZkE;Y3C8J(d9|uKXv5I4vgZ zG}M!fcGh-9J6jWRylEGi>bnwgIFH72PD4GhccqqYI~5PNB`G|jG?r-X>yVO3+ASr! zX&jzK-;reJ^ZL%eV9u+!&L_^(4s?F|YOYRnZl2mgj(}xsZ87Ju$d`;*n3o7w*S11V zG&Dn&)AH42X1_ffY{Kshs)d{wUI^?*6~e`<$mv z-E(f;y!6XQ@1Hj|e~djo{d8<>9R70P?soFZH%}k4z}M(8_gFY)92;B11lNtNTkuTm zi|`BRvH6;@3yS-Nzehj0b>1gOy0?vu&6|Jf&iV5ePRvaI0>28p~u_<6K|kxh}bi;#DUg>Nb82h<1_7tIpQHil*uH* zWII}{6q2jr<)YB&wfkH`SGmrlvTfl?Lo$|)mc+Efe}!NIRgXY*LO)^LPll~Nr=L%8 zKLTF$Lx{NTU(XoxKqKfe_rU!ampPv$UqN$ z&96d*lWV5!*fEB!FmUWsaO}T8^UUuy&8_gr5~TTqpPVuF28czExd+z#EbTzV4}Le2 z2xIW{nH=$=ndwKC$dr=FIb$H0Ku@^LE~CxtFgxh}-@WFDQ7Dzj6cRZ4PZ@n4$Kabj z%H#9dyo2W*Cd#2V8oWNr=lANJ2IJrx8lBl^H`|TG55gkT*KUei9@r+fC%n<2=4)d+2V0fyisSMd_t*AE0}l&*e}%k^E6UC_rPog z?Z$3YhTPZzZcL(i;`P~Nz6-A_lIcYYm7Ov4#hI%p430f<$q}CCrXJpzyK4#Z@BA!&p?+=+oa;d6mok|;M6Ju$& z%2aDzF`6x`N~4w*Fhr9)*rYPs(%=P!OnMkh`ul5l@LNK}Qe$lFT5tzF<{sE2JMG0p z|48EE@xR~q9G}<^p#;A~!6cbh80#>}dVhp(hEjw)#!#teKF^jKjK{+;9?zmYzSiZJ zLgGJKGfv85920#bi7>*wl`L`l`DldsdEEW}I6*D#!^RX@_Q2|A!Ro!p>Q`Up*oK+u z?dK!4F9DH|#{?oC_&rM;^uHJP4{D7c@`wf;3OH$isn*+w<&tq`wJ-vcu+Uacmjx43 zwQ_N_kgAoE!eFw{O%{Y}qVShhE&P{t@p3I$$fh$4I`064ul&FGVSTy8Bul8J_sAys zu}KBCrCF1fX~Cr9ug(qtGRc658~<~hl*a%jdPWi#k00NX=bJ>#<9$$ykjEq{^~`#< zRDV2{X<OU6uFViEdUukmet-x*}wK5V ztuf+aww+8|EsT{Lr9`yWS-T9KJh4YYp^Pe`5|t#bltr~l*)qX|U}AET{Wkh@_(ud2 z{ot{cm}Hv~R|?T=>1ts-6Gbgq$tK|w{vLP2KgXn}!KA;v{9ArYh@lQ7I5+9WyB0rD+ELlKMOJ9fBJ#H<~H|EIs#r>Ct zk<|wu=h*9KrXQ6cwJ!pZFh3S?9uE$w4debnt>arf;(7=nJAE0l^-8&(W$>9~lwqRr zOfgwvt`?@Uh2)4N&G}VdEn2FllC?==DPB%wOX=0ZShSv0DFhRtNs2>FniH#qsm~Xx zvV2OOK_{X5GHR(HC7OhnH@%@H2R7*qFzK%c&*Ha)h>yz_kn)HZ8N(YQ1LETGzupV` z4*ifkifms`%%f0F63>)ydb~s9@dk{C1m*F?Pxz&f__se!Vz%(0&U_9mqEejpO^SiyOGo+S=mkMH9CLGAxt z%_Ba6PT`pTnq*E;;8ajBkqzjao|eQ)r^^%^4zE9B^rz8RX851MqNnWer!Ety!14qR zeMn~xhR}0$FZ|DDOq;y&kXnPjCzz;C>Ffbxz!W#O&=cH&TB05#niRz*-N3dqYtr&0 znDp@rKjOE9h=PYsBjphSM`)4j&m~;e8`sjHxza>Omwrmk8 zk9d*M(~l%B9{=c@U*i*rdHflaBIJ?5>9Mn=2IFxA#v_LE_`H-W1^c2qmLT!(zrTo- z#|9?qMiOC!|MP8*=t4w(9#?FeAgHDBTB&y}%N|%AgFJqMtp4{qIrau%yO7%Jfk?<> z6X)?aEOF5PC%Au5JM}P+xB<;vj(jm7GgDbrnJUL6R6QA|awqZh`!~gE3d?GQAx*w88m}%kkSlCki@wn_p7!M@A_uPK2)GaW=8<2Qs?Q~Ke+nD&d zkwh5b{|Ebl{gaIyI}wqe$H^t6y>=R}m3kqTJ+S)5;{MBS$5vm?vEKpqPNX&jL_!`r zIFAQd;-LTAasQz9>;J|hzEjrgTXCb_?YA4!T5-^%j^rBMhRv^08Crsgk~3phr()r@ zGi%Bzn^DLZUCbAZ?tn)jW26aHsG4_DEo07V%xEb(6W3_-ky4_l);6>akysq5G#N_P zaq6;OyOdSRHdM`AAmoxV~uYvR>pR$-D_ zYMye|>u@I`l7`2eEGRW%t1g|f=VFbl*5(e&%MDjugj#x%Y!Y6g^|%e-L3)r$cVUyx z=eLB2if;)>dBls1-fGq)9uZ916yXzzc|7l4(g-s*;q(~TQiD9+1>^B!B>vxK_@$8e zcdk2=l*gMfQ9F_d;{U{*PVcNkX4diZc<#hmr1xvQR_YCH%pUnMSbZN>8|Bo({^L%3 zvK0X$A&+0gdHng1+WT<-pjK|<5x1ryxvpTs=t$?xj8+*8R6=Q^P0Z-)Dsj;Tp;5^! z5>HZ93)cgwQc^7PFt({?rJ3nY1ycEZqEHMnrnXC3(P-nLT(ObqRs<7Kk)_3C-O+f- zr(|pmcQlu`=3-KpBHF4){1Rm&@2$p+QH8FMP~!c^H_0a9C0dW$03M_VOuBptGU+$m zmg-Jq(pEI2FPw1}DUW!O(NnV~@rYp3*SXX7K9QKmlz=qC%m$nuiY?X8*FkY*BG#0Lc|#$67qN}&f}9qYFFU?L2dN9xx`&#-J(_OWRw!ESr;&CjZ7nC zR+{uSh1XT^+G0V$gfr%Lc)c)Z#&&<19#TjFuDvB)vnhxF0Hn!K`njdb3~Ky z60OH=01wiGOq#|fIr%LiqM9OJpTUcao`N-rM+B3;b~m4R(mbM4_dzMbdge!@@pv1HSMf_B;=F~#>od1uqI@I~#Q*VKjwqj*-ZjS0W9tX=2x@7(RvO-zJ@PhK zy&b82=DQplHo|tvk=iGKNXX;uIFFAHsojqI2etpiy?S;b;`)q1<mnzg{sp%l{L2<9(Tr@ve15`%WW;nl)khi0#^s|Gj_()@wX#wy`Ro{ z98SN*?UopVB{TDoPLXcAtc z^|%e-L3+TXl`>?~fxqxfT91gAJv5IrKjKA3Ps*CaBZ5hHC^_PF$RuJOpMp|^JboFc z=W4c8KaVSAFdiRc@!V%acA-+&A@SGNP9eQt{~t`0j3k2icex#uUEe@NejcqCk#_HC zyjD74WApgFOCp<(8wL!Qz|zQb_#U?-8#TeiaiZM-oB&AC_}O*niwLXa5niA2^lp>Y?#k zX?SDy=x4y{14!-ums$31A+Qf4;(7maDk+b5;5_acQhNaR4{9$sJeRmz=n#oR)sRRW z*U`Rulq&dheny)yd*m{&%vg0Q+XlfzAehw#bKY#LYqz8Wmae;03Fn%*pg0<`ifU8- zkXG+D<@4r(BU%x=i#C-rBJw9pj8)vMWhzY5MAIfJY*fXRm5yM-oUr&)O}R+dNtw%G zDQf8jXzAor42_p)J#GWIpB`k=6((%brTmr<(LQ}DX@0y3nbZ@pCh>@1(#8~@NX+A} zpw!95Ghf5$QL?4_dAz~|<8dVxzlbZfbY^PEjdnF3IKDq$<*-oZ+HaENf@gkwh>#Rgv4m*?7QU zaOAZ~3u@^S5z!>PMC)-Iz=QN4lh6mKd%v6=0A$i_i1??gh}UN};5@EmP2v&3q%VKM zH;I_X?@W@!Gn;UFWNfKH9uLBJpij*7e)&CqDJ1@-4^AV!Uw;D=FCR$+@$Yae*4=xM z9sE4Le%C_6tB1Y?8#A;qdsGirzlqhJ%Bg(^*n5!L)9+qL%Hv&#c;F{PYT?uG&_Ae^ zczDEjqB(PbvUn|7_%xqH9gj4Ed3z?1u_sbhQ9UdwTLXr6f~K?XgjO32n(`e@u@F}{ zMWJphTXvWH5!%@4(CTJBTr6hgT8$#rNg7RZIb51%-1)H2Ru;9KZGW|!NoKTK+C>>` zsaj(ynrpX8o|3Kqe!T-)I{6es<0V>;+W;P<2TZ#1dSucsuI0CcOxknLLel(*7a6_F zSd(}}FzNQ$kRaRNA?ESMZ;`|^cjNSk*;4&HUU@x?$9gOt`tI*u@5ZH&_%E*~UZ43U zCN3XI1o3YjVTpUrLE`y&d~G3V_nyXUrQwa)qwB%y3{v~^Z5(^u%=DgfklMcikuX2r zgY)>KA+;IYKd9Z^;t|)SGO}XL?Wu+2rflA$6=|tlz*%&KO~s-wlna*Z=1>scvYQ!= zwwyJViq>3NQi{tf#VK>aSycN~dRnWJxX{;b^tC)Am)c9tjv=a#IWq1@g-Rs+-khTB z7o~y@tHE1$!j*AD)G09}TS=QOhg$mHBBDuniPqybfCuS8CLKa1J@pa4B}9~*PP{&Y z7a6@}tVui~m~`7}K9QKm0+c%Wi;4LbPR~_rsX-nO!FV*V__z3_kof0coFL7Q_hRDG zkwg&x=GQnP>_6^V$Is*V2GYGRG+rwWZ_FNTfYpD&YAKGr71(v8_8K4(^0*o2@rOfd z|APAmweC-O#I0$2x**CZBHfPKqZNC+t+w6dF^V**R3k#EY?WM0q4D|iuC^tYR8fsG z-Sw9o;;Of9*O(NYHhc7@A)FEVB8dO}N{)CC*}>1_3b^)j@>dUy*Gj`1vq$d)t8YeXpZpJweH_>akyD zGJ{B7?YJxHxJ~KMtC?!fU+~#7bVwR>85(Kxl+ES|i0fr4TQh0Zdbn}PRhOqL>VPvA zS2o?gl**r$>7}`<)S|8_JQYn_rjB$`OTQqSgqLVNZUcCb9%K@_VXgP1n%@#4It~%9 z7ve=mZwYG>j|e8+G8+alx&CgCMokJ|tqqz9SwRbycMR%7oSht5pyySiZ?R_9bM_#Th44qrBHj7agklDfzRAhDvwx~%cNCqW7*p2 zq@@yVl~!vl`L@p%XW@+e zq8ae9PoseT?O&x7%J9gF9-mS)A@0$1Q*k&GWFyqK52IX1Etyl3;XIwJV&Li`uj)RO#xhQCi_F zr=z-r&ecupP)mOxn}nBWJ#GVdkRD{xR&3IR{FV^WO1_^9FEV=PuqN?{VA4(3^NGYf zeuaEL*T3NOT*Q_d#)l z@LK7FjoD*h^+QPQV_A+}0XB`)t{~sf^#h#8EkkM_!u^BVEVqO77$Q~z9=S$j&_*SG zhZJ(6D{Cw@RXSral=Z1*&F5CSqsC^Ineuz#gA!C=Dx?plgSM7OQ?VISdBzj=m}Q-E zIm}ptHFu?|b(+%fyrg5Yrvjop<8_BkW-I(jS@SY)g$k$gN|CQZMdE^qVnSR^g-}bI z$R^<>T94ZR9;63MS|vgz?fn_gqzWQ_$xFPS3okNyXR{{ph+xteWOi<$d>Boag}K0mSd-5@jp0G{QVaYug^S)iD!)@g7}wx9Pt4(!u&jX$@g=82eErY z8?(nw2dkA>t$<@c3+xAw)ny^SF6PtrGVSYA^f^kNB)Mqivi0)v0Po9$;b( ztu__0H|?U5EG-qQt#w?eV8WI) zTRfe#hAB!iiIk+8Peq%)db(|3nnotol64ua%516mDk@(st5?arp_Ij+R20pqrTfVy z;U!v++W_vT2b;7TnY1U)ZwV1^g*(Iu@7H*d(G##H@rYnjcQz!*_GgKC{44QhH0B|k zp7YsKgFNnr@mP+pxRXN)9*_=6vF#7~iUejc9^lJ54Q@mgtkWA@l` z$Rj@6-MyVM-Xw}O2%H2=bQzZv0#p< zYEGLk4XbQrORKG#Y_2w~k()h%Vl>>0H^X%*=rP-s*0iqU%`ncSlBv?+YNMkyS*o6J zy+tY1ZM(`9R1|dGQnf12w=|AU0N%2#MXi($S_+ATuOv=UN@vBKDrY+Fq$=ptpq6q= zi6(s)wbbJ_fCuRTlf)Dn(%q-=Tf%ue??J+>D7c45hIZaat&{F5E~u0_Nbf%qfPiXL+hEctuP zPjDz79Fpw9CV*tYd>(P5sVT3i^`cOx>5=8(#%h04-L|HRlBzb|bp(>tw!Ul7+0{9b zS(k{y2fgzZb+CzVR?t~Iex|=`P9L}3JID%hV;^#3 z=Ptf>M0DM{aI6M4pvT+;yOE&pN5l_~ux{{(;Kt8qBk?r&yOEzhxk4rD|8o?=Y9rZ5 zCWO(t(5RSFsHJ*JB2)H9_+C&z2<0Onv4F_C*k@rcmV8UM(+^dTa;{pLXyDKqJIANu>){h^)NV?}TuPmnvl&v8Ej z?uSTe)V7H5@}cp9rpKLL4BYP%kx~_(D3eLypX)*Y7KpBs?3;TV6gauLG(JP`acAg* z0$;$AKQrFjaW}sJl6)7D$UKV8dz9KgSyH#h%^isu9{k`Wdl2iJg{M&$xfkAfre1vFkd(VJ3JtuMd-p_~s;X+2*u;xk8|NQv(w zd*Z3q*Hf*}K6vTISLHL}n<){7%SC;odZDXd(*mzZO5C7d><4jT*qh?76Z+Iv{Swua zA1&n5=wAZS@6exL$olh@ee`qv`EJ&qKfMtB&6N1k*9tiibR@0kOV%Ia_!l$c%eN#x zcK zE{O1>RP%dZFXX-r#HRIp$u$4N(I->ljkj(|1Y>aND;J4yy?k(P3<~+Qq0jWmF4JRr z)X8^=QOIJY4A;t_oHUUGv3GiMfQo}bS2}I)(P$4R32A^1WC`a9^7KRtV+I_EonRPhHde+qc_?t_1Hp{MVr z#IHYpU+$B@w6vZtnRor;U(Sfn-IDm=rFVbtANRzE9tETEE{8JRVq4_7!|OX;cb+^O z`o~Yke)O&Ta(xgct>;S?4Lf=|8~edN+R50z{3$T@+jO;j?T^o*9p3odLyv-iDZFD! zd&Q@IpAdmN(khCaJ5)z9#)%&l|~UN zSJD;E>2a)@`T;{67O&$d5qq=ks1r_gq&JK$7#TWK4i^>C7|ZgQhN_jus?#B@|M<@y(e}Vdl|tWqtmvzresnd>MF$xf zG=ivmfrK50L2M`4Y*3R#)hrKK^jOibUH#5K9V}EoHuS{->1)Bv_RYiMRE_mUt&krd zpl7H9W_DOKo^~VHF{)NNk@m5(iFED^7|uf89%8(>E_Wz1KtbtAvPH^fdc=T#1dF2_ z_{6MX2<8+h_!whG9P_ zPs{#_^z;8y7fU7(yFEhdgGFrCE#RA#p5m&aG;leTqcF79A%r!9 z3T7W$I~ZY>aZKR4m>J;sS|f2m<_Hrhjp(K_U+$J&xz!-ng}l#OT+^6NHoQ&G>njyN zDbI09VJOz%q%v!aBZo)VG<~5NevV=+{C0r#ayyY=l!V7stcgJk( zJ5p;XD6;Fq1}`upNn^!^Kk6*2Hep)MGMJ!Zf=Xi-58DiEnINSICn+bIv44eKZWmCfO||c-$y?eQ;F+X3L`9SWM!f;p-(xOuFq= zxUzQbq2V|)*Bd4Dre6tLh&G;kOKTSv@+!ox6I)OGQ>XE6P3pT+H_iOd-#PPtEX({qxtRGEohhKy_or@qe7ma3Oz{zK2MRzP=;F<+f*7O->NQF&aAZ*t=NxvM`p#K#zZ5((hUR% z3)_7Omt7xQjXZRy3w>=j=P>XHC)m=G>=P)ui5IOtg6vur(dZ$Hv+YUlOj4<65;@^? zRUQSg+3+kk;)S-&tb3whNd`;FWMAljyY#>;D&YZ!HI8?itBGKQf!PbAZ8d_#C5gjuZ8hCZ#yVZdCriC) zl&W=jBiF{(6z`E8leDSrkW*Gf-w%-q&Q?bgYe4p((l{DJB@Lqnv5LC#Tuu;+5v#BS zlM!Fv5QY43WFw=wWUqG|YYy3+;D?j>YCbBd;|{cF%VPu=XvbmPo*I?}uiM}iNS@J2 zr?gsFVX~qribf}7V_FZlg*-E3Wn)!^u&u!alM0)dNhfBZI;5J`GU6pcmzh3N_Y|03 zmBGbKl_NtU?v-V2YSRIUd(H7!cbyp=mkRk#W5=u*5r>y6xkU1q|+I1<5` z47vfd<~MS*vvdnVs6I+`jm5I9&Npjc^t%JnuwZW?h>LNRwjB|H5OhA|z5ayuyuo-r z@;PQa0;909T1a4%zSo%tWnZg?UYl`wuPHZh3Tc%4>9LR=SFLJ=^Z6~I;?tfbC?PtV z$ za|%3RO%+0w1l9~%(8MO`1&dPU@=(L6ZFfaO7&UJ6yI`F{nuAVvq6<-eP{*xlnV$rK zIbofx3lmT^+6tkmb?ZI6nM8Bh9ds>fTp9I=rOC9rU2#~71Jqv7ND~J;w0>MQ!{(5m zYW0;cFdDK6=!cWz>MhMU3i|8H{y;HY9{jqLoVaZjfM@2*!jC9d0Qk&>G^a zMt_-1rpsXq66#>~ZkM~YTTwVw!6=ZOM>-J`LEK-JX6i=i`@6b~>;xjzydBl#J5zr(|yn@Gk5*Nbf5C`zk4C`zm^ie z2Z*c7xvbv2i@0nZKa>(*2=~O3eaiZW`+Lco(M2NajMt*mcPiaBYHH2?%7Yw=p(2V= zBY~_yew_jDI?A&Ii<+ei#C{|k#fv9DJG`B%&tKa*NPxBu?TrT5E2&Mt@Xuv7H}9 zRcGDmZHHhKIv!G?MyxxV4g8XU*7=Yz0&Ba`8za6&ud0hC4vn`f5q7{1M_x5I9m6X} zh_>qu^=O0d2#jmaAqJbN;91TIo1<0s0E)4qTqhR}YntZK(f_q4IygvYVg1K_e}eyfG+e?^6!bjW}GKZWBE&MoWFE&x&eXEH|6YRs~1PaQ$R|{!O6Z_G|U{ z;Z(urzqnU$va)uMfR*))v`_bf*G?zz6jB8bXFL8c|NdP$8gwSD=S$Y7!{cAgh%eoe z2>SGlbw+$VB?>Zg`X=FD0QdGvk7k)yPwly;Uo6hG24B6mw-s`Pixh))2ekHc^Uyv<78$F};3x&H|Q++Ol=F|*out +# @TEST-EXEC: zeek-cut -m uid id.orig_h id.orig_p id.resp_h id.resp_p service duration < conn.log > conn.log.cut +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-diff conn.log.cut +# @TEST-EXEC: btest-diff smtp.log +# @TEST-EXEC: test ! -f weird.log + +@load base/protocols/conn +@load base/protocols/smtp + +event smtp_request(c: connection, is_orig: bool, command: string, arg: string) + { + print c$uid, is_orig, command, arg; + } diff --git a/testing/btest/scripts/base/protocols/smtp/bdat-multipart-chunked.test b/testing/btest/scripts/base/protocols/smtp/bdat-multipart-chunked.test new file mode 100644 index 0000000000..f72a94d1ac --- /dev/null +++ b/testing/btest/scripts/base/protocols/smtp/bdat-multipart-chunked.test @@ -0,0 +1,19 @@ +# @TEST-DOC: Multipart message transferred via BDAT and many chunks of size 129. +# +# @TEST-EXEC: zeek -b -r $TRACES/smtp/rfc3030-bdat-multipart-chunked.pcap %INPUT >out +# @TEST-EXEC: zeek-cut -m uid id.orig_h id.orig_p id.resp_h id.resp_p service duration < conn.log > conn.log.cut +# @TEST-EXEC: zeek-cut -m uid fuid source depth mime_type filename sha1 < files.log > files.log.cut +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-diff conn.log.cut +# @TEST-EXEC: btest-diff smtp.log +# @TEST-EXEC: btest-diff files.log.cut +# @TEST-EXEC: test ! -f weird.log + +@load base/protocols/conn +@load base/protocols/smtp +@load frameworks/files/hash-all-files + +event smtp_request(c: connection, is_orig: bool, command: string, arg: string) + { + print c$uid, is_orig, command, arg; + } diff --git a/testing/btest/scripts/base/protocols/smtp/bdat-multipart.test b/testing/btest/scripts/base/protocols/smtp/bdat-multipart.test new file mode 100644 index 0000000000..b46c2d0207 --- /dev/null +++ b/testing/btest/scripts/base/protocols/smtp/bdat-multipart.test @@ -0,0 +1,19 @@ +# @TEST-DOC: Multipart message transferred via BDAT as a single chunk. +# +# @TEST-EXEC: zeek -b -r $TRACES/smtp/rfc3030-bdat-multipart.pcap %INPUT >out +# @TEST-EXEC: zeek-cut -m uid id.orig_h id.orig_p id.resp_h id.resp_p service duration < conn.log > conn.log.cut +# @TEST-EXEC: zeek-cut -m uid source depth mime_type filename sha1 < files.log > files.log.cut +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-diff conn.log.cut +# @TEST-EXEC: btest-diff smtp.log +# @TEST-EXEC: btest-diff files.log.cut +# @TEST-EXEC: test ! -f weird.log + +@load base/protocols/conn +@load base/protocols/smtp +@load frameworks/files/hash-all-files + +event smtp_request(c: connection, is_orig: bool, command: string, arg: string) + { + print c$uid, is_orig, command, arg; + } diff --git a/testing/btest/scripts/base/protocols/smtp/bdat.test b/testing/btest/scripts/base/protocols/smtp/bdat.test new file mode 100644 index 0000000000..d5fb94cb40 --- /dev/null +++ b/testing/btest/scripts/base/protocols/smtp/bdat.test @@ -0,0 +1,15 @@ +# @TEST-DOC: Reproduce the first BDAT example from RFC3030. +# +# @TEST-EXEC: zeek -b -r $TRACES/smtp/rfc3030-bdat-example1.pcap %INPUT >out +# @TEST-EXEC: zeek-cut -m uid id.orig_h id.orig_p id.resp_h id.resp_p service duration < conn.log > conn.log.cut +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-diff conn.log.cut +# @TEST-EXEC: btest-diff smtp.log +# @TEST-EXEC: test ! -f weird.log + +@load base/protocols/conn +@load base/protocols/smtp + +event smtp_request(c: connection, is_orig: bool, command: string, arg: string) { + print c$uid, is_orig, command, arg; +} From 00e7977732737214120d55b6530d682677eb9516 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Tue, 12 Dec 2023 19:25:43 +0100 Subject: [PATCH 2/2] btest/smtp: Test with smtp-bdat-pipeline-8bitmime.pcap Not sure about the origin of this pcap, so adding it in a separate commit, but it seems a nice real-world test case. --- .../conn.log.cut | 3 +++ .../files.log.cut | 4 ++++ .../out | 9 +++++++++ .../smtp.log | 12 ++++++++++++ .../smtp/smtp-bdat-pipeline-8bitmime.pcap | Bin 0 -> 16705 bytes .../smtp/bdat-pipeline-8bitmime.test | 18 ++++++++++++++++++ 6 files changed, 46 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.bdat-pipeline-8bitmime/conn.log.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.bdat-pipeline-8bitmime/files.log.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.bdat-pipeline-8bitmime/out create mode 100644 testing/btest/Baseline/scripts.base.protocols.smtp.bdat-pipeline-8bitmime/smtp.log create mode 100644 testing/btest/Traces/smtp/smtp-bdat-pipeline-8bitmime.pcap create mode 100644 testing/btest/scripts/base/protocols/smtp/bdat-pipeline-8bitmime.test diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-pipeline-8bitmime/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-pipeline-8bitmime/conn.log.cut new file mode 100644 index 0000000000..48ff15048a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-pipeline-8bitmime/conn.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid id.orig_h id.orig_p id.resp_h id.resp_p service duration +CHhAvVGS1DHFjwGM9 23.128.96.18 56074 217.146.107.83 25 smtp 1.324926 diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-pipeline-8bitmime/files.log.cut b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-pipeline-8bitmime/files.log.cut new file mode 100644 index 0000000000..0b8e834546 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-pipeline-8bitmime/files.log.cut @@ -0,0 +1,4 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid source depth mime_type filename +CHhAvVGS1DHFjwGM9 SMTP 1 text/plain - +CHhAvVGS1DHFjwGM9 SMTP 2 text/x-diff - diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-pipeline-8bitmime/out b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-pipeline-8bitmime/out new file mode 100644 index 0000000000..c867091b99 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-pipeline-8bitmime/out @@ -0,0 +1,9 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +CHhAvVGS1DHFjwGM9, T, EHLO, vger.kernel.org +CHhAvVGS1DHFjwGM9, T, MAIL, From: BODY=8BITMIME SIZE=4333 +CHhAvVGS1DHFjwGM9, T, RCPT, To: +CHhAvVGS1DHFjwGM9, T, BDAT, 4404 LAST +CHhAvVGS1DHFjwGM9, T, MAIL, From: BODY=8BITMIME SIZE=8546 +CHhAvVGS1DHFjwGM9, T, RCPT, To: +CHhAvVGS1DHFjwGM9, T, BDAT, 8757 LAST +CHhAvVGS1DHFjwGM9, T, QUIT, diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-pipeline-8bitmime/smtp.log b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-pipeline-8bitmime/smtp.log new file mode 100644 index 0000000000..a460b30967 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-pipeline-8bitmime/smtp.log @@ -0,0 +1,12 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path smtp +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth helo mailfrom rcptto date from to cc reply_to msg_id in_reply_to subject x_originating_ip first_received second_received last_reply path user_agent tls fuids +#types time string addr port addr port count string string set[string] string string set[string] set[string] string string string string addr string string string vector[addr] string bool vector[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 23.128.96.18 56074 217.146.107.83 25 1 vger.kernel.org linux-kernel-owner@vger.kernel.org trafficwatcher@foundit.scootmail.com Thu, 4 Mar 2021 11:38:56 +0200 Andy Shevchenko Andrew Morton Lukasz Luba ,open list ,Daniel Lezcano ,"rafael@kernel.org" ,Andy Shevchenko - <20210303163125.dcc0a086a939a58ed30750e8@linux-foundation.org> Re: [PATCH 1/2] units: Add the HZ_PER_KHZ macro - by mail-pf1-x42f.google.com with SMTP id y67so641134pfb.2 for ; Thu, 04 Mar 2021 01:39:13 -0800 (PST) from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A02A7C061574 for ; Thu, 4 Mar 2021 01:39:13 -0800 (PST) 250 OK id=1lHkUh-008hPw-NY 217.146.107.83,23.128.96.18,23.128.96.19 - F FnJaFv4OCDjqLe4uN1 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 23.128.96.18 56074 217.146.107.83 25 1 vger.kernel.org linux-kernel-owner@vger.kernel.org trafficwatcher@foundit.scootmail.com Thu, 4 Mar 2021 10:38:07 +0100 Alejandro Colomar Amir Goldstein ,Luis Henriques ,linux-man@vger.kernel.org,Steve French ,Michael Kerrisk samba-technical ,Anna Schumaker ,Linux NFS Mailing List ,linux-fsdevel ,Alexander Viro ,Trond Myklebust ,Andreas Dilger ,Luis Lozano ,Ian Lance Taylor ,Olga Kornievskaia ,Miklos Szeredi ,linux-kernel ,Alejandro Colomar ,Walter Harms ,Christoph Hellwig ,Nicolas Boichat ,ceph-devel ,"Darrick J. Wong" ,Jeff Layton ,Greg KH ,Dave Chinner ,CIFS - <20210304093806.10589-1-alx.manpages@gmail.com> <20210224142307.7284-1-lhenriques@suse.de> [RFC v4] copy_file_range.2: Update cross-filesystem support for 5.12 - from localhost.localdomain ([170.253.51.130]) by smtp.googlemail.com with ESMTPSA id l2sm6127295wml.38.2021.03.04.01.40.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Mar 2021 01:40:18 -0800 (PST) by mail-wr1-x431.google.com with SMTP id b18so20376314wrn.6; Thu, 04 Mar 2021 01:40:19 -0800 (PST) 221 scoot-81.wizint.net closing connection 217.146.107.83,23.128.96.18,23.128.96.19,170.253.51.130 git-send-email 2.30.1.721.g45526154a5 F FF6Eao4GW4grO0552g +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/smtp/smtp-bdat-pipeline-8bitmime.pcap b/testing/btest/Traces/smtp/smtp-bdat-pipeline-8bitmime.pcap new file mode 100644 index 0000000000000000000000000000000000000000..73ad48a78f5776eea3ca8d1475fd949e74970eb5 GIT binary patch literal 16705 zcmd6OdyFetTA%OiJlGyJ8IS_ALP95()o>@iW!KAg+0#8~x8Ln&`_b+8XmqDsRd!Xo zTve_rKNT$_E$~PFAczn}ixx7wclHJB%-)1ZVY4hE3nWTJ67d?)B0-cW2oNhCy2}FD z-F)Yi-7dQy_YOlyTGzMB)u+Dmo$q|-d;Gqye*H`T>SIp?o(!yio($ZAFXm4jy!Ot= z0)ZpA#-DmKAbj+X|D>4sH{bUUz9onJ1t4mYw?tf8EFTZ@uq*&tS^m{KT5FN7JM4Q4RzS z0tZijD2=IN>VXe@dFM}``+*&x{^lF?5&FU>*OXr-6b1wIAT@MnwHCjuXN>#La8|MHbB zUZ2IhzW#jRfBfA0Jc=(A?tKvW{4cn zA7YpYYO3SAh~`mQv=K|Q45H%+o=wm(6r|y2cL#`}h9wS>tU0|Qr1<=;ukQcM zCdEv?R7I1%VuuEbZ76!kwEG_CZs!@;1U&i*f&ckie?bKP&$a|^fxtgc1pexUz(05Y z;OpPbMy?ikUeR@Pn*sC+%Y_(L2*slzMtBt@3{N)-oeYYwJSzx9=x|FoEHul7a>g4_ zE7UTjLZwj2t-s$(RV$TDs_ETHAH7?RiM?(3gjEgXG%3s zAg|c(ziBH!Mg;$pTY~@mpFa14Vc5!t|MoK%g8vL`<>&BLew+LLz>ho|AfN56eD?bv zd>m8!m9r};K7Z@sfB4EK#d5MxLRs4!CiZmA7|$qgM=5h^DE7hD9>0tZtLd}-l>`x% z?mo|P-0n_2RcoTAnb>n}vDee2spv|e&<8zpY{;4$BIjl(YI;aAhcEB$9Hx^^#Pe`M zO34ODx~@oyHc{jRx-%5dO6+szGfOn&-5s?2(PY$MxmYYt zC%bAYeKa^mcdD4n^^iTgCkZV3(qpmw;!EoX$>H{&Z9c)%2_}jtI)c?~y_gR*9Zse1ZDLYYR0p@P~SBBx`K5C z>%ldDd8JUBL=$Y3jwO0Rmrn3Pluxj90t{^L)fd+b1#P)jcIZwGMAy@1FQTsd#QqKV+VDkJ@|7+Y%2Y$^8=^b5l?0mXGcO@=-*!aGQAIWqeF;hX zwxWwOMGh~2`woS?-(Q{Ymyom1(oB@0*@$n1xCCtt@Oa-8Is~8G=s7g zOP^D&nZQRTA&ah(7%Gk<_7zH#6VAAMu1IdeHP=f=2}$x%@2dOJNZ#yqv+YW4m{*U+ zmGFRXM*1g%v)19L7M|0ctll1!&*#-rX5athzEkI;qkOz?_xZl%f&KNgdoyLTy8y`%QBQx4;+k-}g&7Bmi*g#^=^vU7;#7C~;7Q@XPJr%<3 zqjEQTG;T!%t5rEOnR=l=IVvBk>S>AY&7%A~Er^*|YEZF*cGcl?=BY3Vmy#tq?;|%8 zj+$~cZ&&hlBkL;W$z06kPt*D1NKC6Ax)$4Kb?iRa8$?nvR*NwwP zba5V0edIK{aW0<38cu{g*6YrBS>ckcj?F~lTq@oyWX73+S!$(KDbHMy?}uYn ztevipQn7L)ovo$IK5`vF>F@9F?zE{Ku>{n6R!T-;Xc`;aYn5_F^@r3-*BqB<-n-FL zANyCU?BAZA7Q<{i=H%&yOPL~^JXFg`*XZEQiMcIbRA2*w6*J+n@yOyDQje?+!hGx`>7dU#D9jEJs zOg}hFAD2_%+$3tL_V7%K(W*R#cy;A(A=uT&wJKfa2AV3@EP-C+I>O0JC_3R@rz=(t z=dM^V?078c_VN>3j<{3SX{V3q^SE)6ZL6)|wBRGRuqVk8eL8gylX-^kp0WjLW|ce1 z-uP_fmd9zXKdk4u&Y+V|N{brTnNLp+O9M5NibqxMEanI;CgLL(EmZo#!VGtFqRHus zwQz&>X<;@J>hX3fch2OG>3M}~j5Jq@&*iGpVN-Fve0rFz)`Ep-j&F>MVIMhtbauSd z(;-z}+NlQ79h9sl%Mp%K*;ZjO9*kohr#!Nwh54{;ifY4J1p5m($3aQ&44GLcvdE02 zvTo0O9$!A5QCG%D+av~i~&AAdOR?pg5F6%H^ zN??y_H7a%@w)jP)Iy$t^(snSJJB~~bh>yGQbQ@$w<9-}R=;sijukzTftTPbc-})L( zg8pk`GYR^^@WcBb-GP|@xi9?0DhYZm4oT2wFvb526yJI}Kt9_s|I=?gcoWC`zxvW< z%>PlyyCI8!nEy*Vn=$_=bx%3ZXK3!MKh_#^s%<%)lW3odQkKG@$&y5iv=9~JTwII@ip;^b(u#n^44DK8{Y4jC{ZilsgQ^oR4|&3SCPs1= zFg{5`o}-4UOd#Db1}55rEMOjTE^Zw7_bQEzJ3O==?yOF9Aq|W! zwM34Lne%+HmMrxSo6S+iZ1*U>nv_ebV{l2Tx2R3Iva%mj)$%3L?d~*|0Su}G1FzJQ z%~T#SVfIxtHZ<3PBP+|uRTY%)+^c2k_lo%rgoct0;SLrS{(*(s$`qAN+cgbX=D-?W zC+L*qJ(4Eck4m2QqrK}-!`-!QyA27PsOSgl)c!WwyL9hm-xF7Dfvs(90?~*N048u4 zaRTUjx-=e$&H|Odn?Zz4zJzr6av<8n?Xjk%7!cDt?jvIH-JO&Pa~UqxoLeAp$PV4G zrHh&YF{~=uj^gg$hIE}0Ztw2YY{)%j9Ec`RcdQR~cS6nZ;B*xlLPsT!W@VN{5}>j6Wei`WFmpk(>+w-`-r6Et~u=Vb&WPZb$x z@hGcwJ(3KK^A2vQ&hO@kToB&f357zK<(E-Xcg(wJs^Vm2pkOT>A_vk0fUI1QuJex& zswjOp=o3)i1=1X3sdGn@L|vcb=MB?v6ocFdAynuA1z7Xgf=zIcV-6K0nX*EzrWgZ5 zT}2Ydj)F87O+^REiikywNs*+;KR4#a0OkM?y6e#;vT%Yoc#k<$ z8aOy_9p2C$$Urw?4fsF8Pm_pf2<*8aC{KQn9l1Kl3sk;ui#oC(g)*_>MfO-%mINIM zn-7rJ?oLlPr?3HcLET;8iZEc9E-)dfggYz+39|=C0dN5Ff~i!~P#l*qK~ZRT=M?|- z5N?4@>x(u>ZFgtO6nGfeAKdH@|C0E_`elFk@d^0De|VKY{KN;Jy?`^fJnR#JqqqKw zP>f$m@p+)Qgfm|#y!L7AVF4&a)uM;oB_&C*Tm^t6?05g&A3Ym*9UxQuxipXc)?br( zp4*xy^YA`!j_3KE3s3&#dxQ!zEVa7H3xDI_$VgsNAhfiWiIDdu%sU`(Z(Uc*g@U0(E$7=kL z8PzM9L0>y7M-;wp%;<7!);#K+a)-gwY?3#!yeJfM%<(4bI2fI{ou=Jor;HWU&Et_1 zbe*ZI97j8l!?szoU!skkmF`UI_K|L8AU2L3Pq|6AwJ-+pRCowACXyQ9|0YQ(7z=Bh zo9a7C(a?%ow!>sIxn`u*(A=sl=4ZkvDC>4SXVHfc9rW4x*ffjboXCyK5i>S!ochR( ztX4c7vx*(NJu4MOp&YMg3h8<2yl~XvV!>3sB@7mVUe7sBzE~N@j@SV+&I!3JKdTCK zy_24(wvSw|duGnXY%9pJi%x#tPPGL=3Aa0^^jWxh-kz(%^mIr|DmT|p3_%jRhpl?t zZjWonnZ=2gE~oo3Uu_2sjys2J{j|&R>GQKvvphadnMYwQpEFvMYW-YjmbhV=j*9$H zt)()}Q`(R!v(a(HQ8L4_$*0&_MGDQTehz^5!jc!Wa6i{-4#mj4I+L5NfgYZB!)}g0k7kV&pQrQV!`PyIURV_6 zLBkJk_AB;Ww8tgU?bVu{Y@|Ic@e6mxwMJ6?q`^&+&G0Z5lRKPJn51%WN~4`*WYU{N z7wN84=yFMJ6!&qbG-{P#vFe@_yB(JcCcD*nP9L30F|JaQxmH0qvtrSRb<#At;qD}} z(1erB`BW1}sktocR(eq@j(p^FZ4z~dX5Afu{+`#W$)RSC8&)xu>Pk$}bR&k|h?Tke z5CE#;`N>h!T!dXEo2(>{xOsn&ttr)ok6iR@_6R(ZX_-;l6o)ZusOGeAJAOQwPlU3g z7c|waHpl#YQZt;{oHrYNs5Fc+zT%g1?AAwY_NdF}ic_B&i;Z9al8?uQ*whw7Jk$b~2&BLWF+S!q z?d@`wpPB%UFWo ziMZZLd@gAvX(VwSQfHlElwo6RJTe{XAx;Qkh%-cUA%Hh&29^?HVrvz+vn;FaLvsRi zk3*7XL8gem-AiT~_n>@tFPAFc!x4HJBJ>;Z$^T8Vn(9_o^Wlg0Kl{rN^PjHsF;TgH z@QvTV6#qL={KKaL!@R zf$uPUE)|%s2syU)=>j0sm2*hNZ4;$T9d-xmxS~D_4MoF(;-a&G53aB_FPMZO+aS(e zgbympnYs)u2e8q5B7Bc=n(m|H1GmZ=z)gydii&M(&H(KV-N98;`yMHc0XxVmhOLbN zVgR5E5DxG9zyVYwBrAUOtl=tv9%OMHRYiMFk6au$;;<_&QP&k1n0#zG_?XGrN*@*T zXs-_!1Jwf@w}4&W@T6ggr~!#BMvAbY;XAZ`EWaN>6;8CQZBXw>>Ge=aoD*2{TqhSk z^wGcCvNq672Q?M|6UiD#lYBpLyze1(>>u2;0kA>k`9N2?V+q1OKxitQjZ`tl>lh&Dop4{|5`j&?X_G8(6lX@xcGc?KIdhO&Xx15IP0422fMk zyAzti*8|fQC9k!?|5O@-KPgo+pxp)@ki4q{SRR06+mfnilBokCc4%U?f)&ZOW(*|J zJ&;teMcQ~s_T0B21E5S#h8gR5TRvfPweaF!FUJ@2`Tc%zNJ(+Dz0g% za0+yNs`b&HDyavW(X*j%MwGYL2!M@B$#4vGw70(AKDmB&{JG*IkYt}MQ-y3}HCobo z&P_9r14y}wq#76(gp-L+vQUx$K$T&ESI$L^`<#X7<@(*U~&mcBMeHf zI5uu(_*B$g*v347?qGAKfRPWKgKp2k=EhgOc%`0Ap$Y#gK(^K#TmIP2jh6qXh~@v< zrseW6Odv z2*OP{5$O5b-PtJY__JUPg$rKWCG-LKDm&0==G6=#I-uj6KttCc9T9NR@LKoa!TpMz zKz+@n0MwQ#1^aKrhB)xXxab(_^N|P(%|pBh<>xCZUM$NqJPVaF7%lKH+ZFa5_Xu4s zZ9dL(S5!$aDj};ZHnYrP6G#9T`*&LZ@Kh9U8OG+pyNL+=iVa9Qt`g#MLuz}k?*OW8 zoAMY+G#E{fgt!;6@@eq!loSib{XWL_VQWn=rGRfE(!()?>JQWoOlgd-a2a5!MgWJK z=&+S*z(e4cp?%fCR6`+Pi$RWRj&&Ks-4^L!lmTI1vPR1LXc=Y!FQ9!xQr;wbND3L? zbjPb2#58l zfqP%VN!!)H`#52NkMcAZhBJ-hg2!?1-pI!dWW3Rj9|w5j9~A<4qaH8Td3226QG3_n z!E$Mj85ww^-$hX1J@Dvwz#I3Np@28|(NTam?$H5&H!g`SzXX>5hAiUiB#WqA&LV#H zJ0OereqR>RTV)X+y4jcfH1Q>WvFS^G_B&Qt#8>K@zT}bdiMN(VhbG>*$BIh4q3a;z z#(=~d?74TZ!o2d;-nUD>e#ywA!VquRR>1M-2*l6MV+J4IBkw-$@Sb}_$U!R1l-cVM zi~0E3%kB|$I4F>>@KFk-N$u5EhS*IIYpo5jfrWUO^ap^IUJtG-Q|Lioxrqr6 zl-^H4ofF@Mfp8709{4;7^l7M~F@VZ3w$yitOTcAg?2lAMw@5X(tGGDG!bHF!d43_K zDv*Of_y@&PFfI5u;U9|a1{=m<)<#f-{xM?V9g?em;6Ye9V!*jVIT%s|h@)_800-X6 zQNRU2CH_wE#k&w7$%?Lc-zjKG-rbQkNWv%z;u<7|ubH}g%^!Ampn#;zP?TXrF5VUB zP^cFXx;;e{dI+MfC=XZ?uy!rw-5ppDx}N;O0ivLz^e!|s;9qeBH>yy&HhX9Y`)OnU zk3xqiQ>iv;DY*8E|61%|@$ML$}c#N5fgwI-q$GI!S^sub-xDLX?78SOu&&8bHv*VtZ{- zm@pe*5igYcM)t>E+@M-dL`>O&Cg%5VcZ*u2U<-dx;l;hHAW@p7;>LKihe zQxNdrSP2#i#2jcg(0UpWf?!(oS~g%|M5Y3Nm!UzZLhLRR!%{UdXdfz|o_x<7Lu?2H zArK`Y6J(O2M4CLDsc4a9UdV^S!f&TD(6{V~3SVO>brpz`)?(r|r9`M>U-G|hw)~$Z zmjA1pmj8=iTxAj8^^r}>Z$tKsh0%q^i(sfw$EyKx+$Lx6_Ql$QB5;OxXQ>llG5xy- zi}QA8b46F}JJ~RzOP;)Z^Mf$2o1eOB{vo_CgE!r$nRj4IFBFY?5%YD`lj|qIm;?d5 zAd0?J9`bct=OO%FNdPzHfK|j2z&$;f0@gQkLwhgfVHanlkw>7tjY72oFGgW$U@d|p zvt_=}9k4Z6@u11>u7HBjv3VC_Zn%>qSOT19%to?SfZu>`-~b;t%s}KS+WH*yzo+50 zBNF&ap!A+zuhxp6>*Du~9GD(2jr6mCeZVOJKr=3ofG$A^zibEe4ZQJ~Ff`pD&*fs1 zjFJ}g;Q*+Dt>r2oSlSEBT~~pA84b=PQ73#%HE=2<+W`I{lkn3D)!=wjSMUEeIX+eYBb;PkqMDRdE+~9)M zsIg_k@U~y~F!ayjtVjfe3ZND!#s$e-T@#vs)~e^J)N&s;)XCc<*wpo41P)kViq0<_ zcwG!Lrzph#5?8tux(%&O8i)@LH%=n)ZiPVi;C;PpwO)po^iUJGQ9p(PvQg|!ST24S za#2vgK6I}+KHhNq7FcQ=Am9$oIiB)@U342OHpoH(FY4Ly+Ym!wum>A$5F>0h;IXio zSYvQ68;ArQxh9?qMw=pEpT`=2nb%b!7qX$%ft;`p7F(Gh&b`Y zlxa{?TLVW0?~V>o7YYvp2Tm5I25ufQRLaq0g(6Je@f-mn9caJ>;6ucOV7cKe7$jW) zjF4bQE5*V}?1`AUNhQcJybuZ;DtMm>GwPASPio$QzVLXYpYOsUV$1*S&)%3te1l{W z<;z*bFZLjdcyLt~@jXEC@4@S*__JM$xOMBnTiBPp^WQdo$uIU+zU1v+-SQ>a7{j_C z!qFz0JO(Upt-#n^1oP$;4g`dJU`&atXb93VKlOKRd|mx*tZ2XW(M?7BB@Ptr9gyV1?+dLI?VG>%LP7jBOz}H^ z;Hf|!q=-M;svAf=_#C0Q^_KRMB7mvC`GqCLWZ;J}#p70?>2aC|x~o+E5?%hm148%5 zwm6LwPQUHe!w*e2>0(a*{=axCU;vl+b7{|Cd;1Bp7vHtD7w^DcBwqgj?8SfbD85jT zK6oFvW#Rq!t6r>^px8r@I}^$y5PO=2x1Q45&jj{hX8gIdo;v~1IR5E>(%xE60tN?a QPX+?7_VCr$q&JNJ1L)>(v;Y7A literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/smtp/bdat-pipeline-8bitmime.test b/testing/btest/scripts/base/protocols/smtp/bdat-pipeline-8bitmime.test new file mode 100644 index 0000000000..2b04bbdac9 --- /dev/null +++ b/testing/btest/scripts/base/protocols/smtp/bdat-pipeline-8bitmime.test @@ -0,0 +1,18 @@ +# @TEST-DOC: PCAP with kernel mailing list BDAT transfer. +# +# @TEST-EXEC: zeek -C -b -r $TRACES/smtp/smtp-bdat-pipeline-8bitmime.pcap %INPUT >out +# @TEST-EXEC: zeek-cut -m uid id.orig_h id.orig_p id.resp_h id.resp_p service duration < conn.log > conn.log.cut +# @TEST-EXEC: zeek-cut -m uid source depth mime_type filename sha1 < files.log > files.log.cut +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-diff conn.log.cut +# @TEST-EXEC: btest-diff smtp.log +# @TEST-EXEC: btest-diff files.log.cut +# @TEST-EXEC: test ! -f weird.log + +@load base/protocols/conn +@load base/protocols/smtp + +event smtp_request(c: connection, is_orig: bool, command: string, arg: string) + { + print c$uid, is_orig, command, arg; + }