Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-15 21:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

ftp: Introduce FTP::max_command_length

Browse source 
oss-fuzz produced FTP traffic with a ~550KB long FTP command. Cap FTP command
length at 100 bytes, log a weird if a command is larger than that and move
on to the next. Likely it's not actual FTP traffic, but raising an
analyzer violation would allow clients an easy way to disable the analyzer
by sending an overly long command.

The added test PCAP was generated using a fake Python socket server/client.
This commit is contained in:
Arne Welzel 2022-11-15 21:27:53 +01:00
parent ee8e2decec
commit 3f5cb75a2a
10 changed files with 83 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

11
testing/btest/Baseline/scripts.base.protocols.ftp.ftp-max-command-length/dpd.log Normal file
View file

@ -0,0 +1,11 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dpd
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason
#types time string addr port addr port enum string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58634 127.0.0.1 21 tcp FTP FTP::max_command_length exceeded
#close XXXX-XX-XX-XX-XX-XX