Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

ftp: Introduce FTP::max_command_length

Browse source 
oss-fuzz produced FTP traffic with a ~550KB long FTP command. Cap FTP command
length at 100 bytes, log a weird if a command is larger than that and move
on to the next. Likely it's not actual FTP traffic, but raising an
analyzer violation would allow clients an easy way to disable the analyzer
by sending an overly long command.

The added test PCAP was generated using a fake Python socket server/client.
This commit is contained in:
Arne Welzel 2022-11-15 21:27:53 +01:00
parent ee8e2decec
commit 3f5cb75a2a
10 changed files with 83 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
scripts/base/init-bare.zeek
View file

@ -337,6 +337,15 @@ type ftp_port: record {
valid: bool; ##< True if format was right. Only then are *h* and *p* valid.
};
module FTP;
## Limits the size of commands accepted by the FTP analyzer. Longer commands
## raise a FTP_max_command_length_exceeded weird and are discarded.
const max_command_length = 100 &redef;
module GLOBAL;
## Statistics about what a TCP endpoint sent.
##
## .. zeek:see:: conn_stats