mirror of
https://github.com/zeek/zeek.git
synced 2025-10-13 20:18:20 +00:00
Merge remote-tracking branch 'origin/topic/awelzel/3936-pop3-and-redis'
* origin/topic/awelzel/3936-pop3-and-redis:
pop3: Remove unused headers
pop3: Prevent unbounded state growth
btest/pop3: Add somewhat more elaborate testing
(cherry picked from commit 702fb031a4)
This commit is contained in:
Tim Wojtulewicz
parent
40db8463df
commit
88c37d0be8
20 changed files with 217 additions and 7 deletions
|
|
@ -2903,6 +2903,22 @@ export {
|
||||||
|
|
||||||
} # end export
|
} # end export
|
||||||
|
|
||||||
|
module POP3;
|
||||||
|
|
||||||
|
export {
|
||||||
|
## How many commands a POP3 client may have pending
|
||||||
|
## before Zeek forcefully removes the oldest.
|
||||||
|
##
|
||||||
|
## Setting this value to 0 removes the limit.
|
||||||
|
const max_pending_commands = 10 &redef;
|
||||||
|
|
||||||
|
## How many invalid commands a POP3 client may use
|
||||||
|
## before Zeek starts raising analyzer violations.
|
||||||
|
##
|
||||||
|
## Setting this value to 0 removes the limit.
|
||||||
|
const max_unknown_client_commands = 10 &redef;
|
||||||
|
|
||||||
|
} # end export
|
||||||
|
|
||||||
module Threading;
|
module Threading;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -5,4 +5,5 @@ zeek_add_plugin(
|
||||||
POP3.cc
|
POP3.cc
|
||||||
Plugin.cc
|
Plugin.cc
|
||||||
BIFS
|
BIFS
|
||||||
|
consts.bif
|
||||||
events.bif)
|
events.bif)
|
||||||
|
|
|
||||||
|
|
@ -3,8 +3,6 @@
|
||||||
|
|
||||||
#include "zeek/analyzer/protocol/pop3/POP3.h"
|
#include "zeek/analyzer/protocol/pop3/POP3.h"
|
||||||
|
|
||||||
#include "zeek/zeek-config.h"
|
|
||||||
|
|
||||||
#include <cctype>
|
#include <cctype>
|
||||||
#include <string>
|
#include <string>
|
||||||
#include <vector>
|
#include <vector>
|
||||||
|
|
@ -12,6 +10,7 @@
|
||||||
#include "zeek/Base64.h"
|
#include "zeek/Base64.h"
|
||||||
#include "zeek/Reporter.h"
|
#include "zeek/Reporter.h"
|
||||||
#include "zeek/analyzer/Manager.h"
|
#include "zeek/analyzer/Manager.h"
|
||||||
|
#include "zeek/analyzer/protocol/pop3/consts.bif.h"
|
||||||
#include "zeek/analyzer/protocol/pop3/events.bif.h"
|
#include "zeek/analyzer/protocol/pop3/events.bif.h"
|
||||||
|
|
||||||
namespace zeek::analyzer::pop3 {
|
namespace zeek::analyzer::pop3 {
|
||||||
|
|
@ -41,6 +40,7 @@ POP3_Analyzer::POP3_Analyzer(Connection* conn) : analyzer::tcp::TCP_ApplicationA
|
||||||
authLines = 0;
|
authLines = 0;
|
||||||
|
|
||||||
mail = nullptr;
|
mail = nullptr;
|
||||||
|
unknown_client_cmds = 0;
|
||||||
|
|
||||||
cl_orig = new analyzer::tcp::ContentLine_Analyzer(conn, true);
|
cl_orig = new analyzer::tcp::ContentLine_Analyzer(conn, true);
|
||||||
AddSupportAnalyzer(cl_orig);
|
AddSupportAnalyzer(cl_orig);
|
||||||
|
|
@ -205,6 +205,21 @@ void POP3_Analyzer::ProcessRequest(int length, const char* line) {
|
||||||
// keep a list of pending commands.
|
// keep a list of pending commands.
|
||||||
cmds.emplace_back(line);
|
cmds.emplace_back(line);
|
||||||
|
|
||||||
|
// Prevent unbounded state growth of cmds if there are no matching
|
||||||
|
// server replies by just processing commands even if we didn't see
|
||||||
|
// the server response.
|
||||||
|
//
|
||||||
|
// This may be caused by packet drops, one-sided traffic, analyzing
|
||||||
|
// the wrong protocol (Redis), etc.
|
||||||
|
if ( zeek::BifConst::POP3::max_pending_commands > 0 ) {
|
||||||
|
if ( cmds.size() > zeek::BifConst::POP3::max_pending_commands ) {
|
||||||
|
Weird("pop3_client_too_many_pending_commands");
|
||||||
|
|
||||||
|
ProcessClientCmd();
|
||||||
|
cmds.pop_front();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if ( cmds.size() == 1 )
|
if ( cmds.size() == 1 )
|
||||||
// Not waiting for another server response,
|
// Not waiting for another server response,
|
||||||
// so we can process it immediately.
|
// so we can process it immediately.
|
||||||
|
|
@ -236,10 +251,19 @@ void POP3_Analyzer::ProcessClientCmd() {
|
||||||
|
|
||||||
if ( cmd_code == -1 ) {
|
if ( cmd_code == -1 ) {
|
||||||
if ( ! waitingForAuthentication ) {
|
if ( ! waitingForAuthentication ) {
|
||||||
Weird("pop3_client_command_unknown");
|
Weird("pop3_client_command_unknown", (tokens.size() > 0 ? tokens[0].c_str() : "???"));
|
||||||
if ( subState == detail::POP3_WOK )
|
if ( subState == detail::POP3_WOK )
|
||||||
subState = detail::POP3_OK;
|
subState = detail::POP3_OK;
|
||||||
|
|
||||||
|
++unknown_client_cmds;
|
||||||
|
|
||||||
|
if ( zeek::BifConst::POP3::max_unknown_client_commands > 0 ) {
|
||||||
|
if ( unknown_client_cmds > zeek::BifConst::POP3::max_unknown_client_commands ) {
|
||||||
|
AnalyzerViolation("too many unknown client commands");
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -299,6 +323,7 @@ void POP3_Analyzer::ProcessClientCmd() {
|
||||||
if ( masterState == detail::POP3_AUTHORIZATION ) {
|
if ( masterState == detail::POP3_AUTHORIZATION ) {
|
||||||
POP3Event(pop3_request, true, cmd, message);
|
POP3Event(pop3_request, true, cmd, message);
|
||||||
if ( ! *message ) {
|
if ( ! *message ) {
|
||||||
|
// This is the client requesting a list of AUTH mechanisms available.
|
||||||
requestForMultiLine = true;
|
requestForMultiLine = true;
|
||||||
state = detail::AUTH;
|
state = detail::AUTH;
|
||||||
subState = detail::POP3_WOK;
|
subState = detail::POP3_WOK;
|
||||||
|
|
@ -555,9 +580,13 @@ void POP3_Analyzer::ProcessReply(int length, const char* line) {
|
||||||
AnalyzerViolation(util::fmt("unknown server command (%s)", (tokens.size() > 0 ? tokens[0].c_str() : "???")),
|
AnalyzerViolation(util::fmt("unknown server command (%s)", (tokens.size() > 0 ? tokens[0].c_str() : "???")),
|
||||||
line, length);
|
line, length);
|
||||||
|
|
||||||
Weird("pop3_server_command_unknown");
|
Weird("pop3_server_command_unknown", (tokens.size() > 0 ? tokens[0].c_str() : "???"));
|
||||||
if ( subState == detail::POP3_WOK )
|
if ( subState == detail::POP3_WOK )
|
||||||
subState = detail::POP3_OK;
|
subState = detail::POP3_OK;
|
||||||
|
|
||||||
|
// If we're not in state AUTH and receive "some" response,
|
||||||
|
// assume it was for the last command from the client.
|
||||||
|
FinishClientCmd();
|
||||||
}
|
}
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -4,11 +4,9 @@
|
||||||
|
|
||||||
#pragma once
|
#pragma once
|
||||||
|
|
||||||
#include <algorithm>
|
|
||||||
#include <string>
|
#include <string>
|
||||||
#include <vector>
|
#include <vector>
|
||||||
|
|
||||||
#include "zeek/analyzer/protocol/login/NVT.h"
|
|
||||||
#include "zeek/analyzer/protocol/mime/MIME.h"
|
#include "zeek/analyzer/protocol/mime/MIME.h"
|
||||||
#include "zeek/analyzer/protocol/tcp/ContentLine.h"
|
#include "zeek/analyzer/protocol/tcp/ContentLine.h"
|
||||||
#include "zeek/analyzer/protocol/tcp/TCP.h"
|
#include "zeek/analyzer/protocol/tcp/TCP.h"
|
||||||
|
|
@ -106,6 +104,7 @@ protected:
|
||||||
|
|
||||||
analyzer::mime::MIME_Mail* mail;
|
analyzer::mime::MIME_Mail* mail;
|
||||||
std::list<std::string> cmds;
|
std::list<std::string> cmds;
|
||||||
|
zeek_uint_t unknown_client_cmds;
|
||||||
|
|
||||||
private:
|
private:
|
||||||
bool tls;
|
bool tls;
|
||||||
|
|
|
||||||
2
src/analyzer/protocol/pop3/consts.bif
Normal file
2
src/analyzer/protocol/pop3/consts.bif
Normal file
|
|
@ -0,0 +1,2 @@
|
||||||
|
const POP3::max_pending_commands: count;
|
||||||
|
const POP3::max_unknown_client_commands: count;
|
||||||
|
|
@ -7,7 +7,7 @@
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source
|
||||||
#types time string addr port addr port string string bool string string
|
#types time string addr port addr port string string bool string string
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58246 127.0.0.1 110 pop3_server_command_unknown - F zeek POP3
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58246 127.0.0.1 110 pop3_server_command_unknown + F zeek POP3
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58246 127.0.0.1 110 line_terminated_with_single_CR - F zeek CONTENTLINE
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58246 127.0.0.1 110 line_terminated_with_single_CR - F zeek CONTENTLINE
|
||||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58246 127.0.0.1 110 too_many_analyzer_violations - F zeek POP3
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58246 127.0.0.1 110 too_many_analyzer_violations - F zeek POP3
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -192,6 +192,7 @@ scripts/base/init-frameworks-and-bifs.zeek
|
||||||
build/scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek
|
build/scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek
|
||||||
build/scripts/base/bif/plugins/Zeek_NTP.types.bif.zeek
|
build/scripts/base/bif/plugins/Zeek_NTP.types.bif.zeek
|
||||||
build/scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek
|
build/scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek
|
||||||
|
build/scripts/base/bif/plugins/Zeek_POP3.consts.bif.zeek
|
||||||
build/scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek
|
build/scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek
|
||||||
build/scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek
|
build/scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek
|
||||||
build/scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek
|
build/scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek
|
||||||
|
|
|
||||||
|
|
@ -192,6 +192,7 @@ scripts/base/init-frameworks-and-bifs.zeek
|
||||||
build/scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek
|
build/scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek
|
||||||
build/scripts/base/bif/plugins/Zeek_NTP.types.bif.zeek
|
build/scripts/base/bif/plugins/Zeek_NTP.types.bif.zeek
|
||||||
build/scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek
|
build/scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek
|
||||||
|
build/scripts/base/bif/plugins/Zeek_POP3.consts.bif.zeek
|
||||||
build/scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek
|
build/scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek
|
||||||
build/scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek
|
build/scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek
|
||||||
build/scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek
|
build/scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek
|
||||||
|
|
|
||||||
|
|
@ -385,6 +385,7 @@
|
||||||
0.000000 MetaHookPost LoadFile(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek) -> -1
|
0.000000 MetaHookPost LoadFile(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek) -> -1
|
||||||
0.000000 MetaHookPost LoadFile(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek) -> -1
|
0.000000 MetaHookPost LoadFile(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek) -> -1
|
||||||
0.000000 MetaHookPost LoadFile(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) -> -1
|
0.000000 MetaHookPost LoadFile(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) -> -1
|
||||||
|
0.000000 MetaHookPost LoadFile(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek) -> -1
|
||||||
0.000000 MetaHookPost LoadFile(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) -> -1
|
0.000000 MetaHookPost LoadFile(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) -> -1
|
||||||
0.000000 MetaHookPost LoadFile(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) -> -1
|
0.000000 MetaHookPost LoadFile(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) -> -1
|
||||||
0.000000 MetaHookPost LoadFile(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) -> -1
|
0.000000 MetaHookPost LoadFile(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) -> -1
|
||||||
|
|
@ -680,6 +681,7 @@
|
||||||
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek) -> (-1, <no content>)
|
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek) -> (-1, <no content>)
|
||||||
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek) -> (-1, <no content>)
|
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek) -> (-1, <no content>)
|
||||||
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) -> (-1, <no content>)
|
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) -> (-1, <no content>)
|
||||||
|
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek) -> (-1, <no content>)
|
||||||
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) -> (-1, <no content>)
|
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) -> (-1, <no content>)
|
||||||
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) -> (-1, <no content>)
|
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) -> (-1, <no content>)
|
||||||
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) -> (-1, <no content>)
|
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) -> (-1, <no content>)
|
||||||
|
|
@ -1307,6 +1309,7 @@
|
||||||
0.000000 MetaHookPre LoadFile(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek)
|
0.000000 MetaHookPre LoadFile(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek)
|
||||||
0.000000 MetaHookPre LoadFile(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek)
|
0.000000 MetaHookPre LoadFile(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek)
|
||||||
0.000000 MetaHookPre LoadFile(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek)
|
0.000000 MetaHookPre LoadFile(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek)
|
||||||
|
0.000000 MetaHookPre LoadFile(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek)
|
||||||
0.000000 MetaHookPre LoadFile(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek)
|
0.000000 MetaHookPre LoadFile(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek)
|
||||||
0.000000 MetaHookPre LoadFile(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek)
|
0.000000 MetaHookPre LoadFile(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek)
|
||||||
0.000000 MetaHookPre LoadFile(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek)
|
0.000000 MetaHookPre LoadFile(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek)
|
||||||
|
|
@ -1602,6 +1605,7 @@
|
||||||
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek)
|
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek)
|
||||||
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek)
|
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek)
|
||||||
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek)
|
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek)
|
||||||
|
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek)
|
||||||
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek)
|
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek)
|
||||||
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek)
|
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek)
|
||||||
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek)
|
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek)
|
||||||
|
|
@ -2228,6 +2232,7 @@
|
||||||
0.000000 | HookLoadFile ./Zeek_NetBIOS.functions.bif.zeek <...>/Zeek_NetBIOS.functions.bif.zeek
|
0.000000 | HookLoadFile ./Zeek_NetBIOS.functions.bif.zeek <...>/Zeek_NetBIOS.functions.bif.zeek
|
||||||
0.000000 | HookLoadFile ./Zeek_NoneWriter.none.bif.zeek <...>/Zeek_NoneWriter.none.bif.zeek
|
0.000000 | HookLoadFile ./Zeek_NoneWriter.none.bif.zeek <...>/Zeek_NoneWriter.none.bif.zeek
|
||||||
0.000000 | HookLoadFile ./Zeek_PE.events.bif.zeek <...>/Zeek_PE.events.bif.zeek
|
0.000000 | HookLoadFile ./Zeek_PE.events.bif.zeek <...>/Zeek_PE.events.bif.zeek
|
||||||
|
0.000000 | HookLoadFile ./Zeek_POP3.consts.bif.zeek <...>/Zeek_POP3.consts.bif.zeek
|
||||||
0.000000 | HookLoadFile ./Zeek_POP3.events.bif.zeek <...>/Zeek_POP3.events.bif.zeek
|
0.000000 | HookLoadFile ./Zeek_POP3.events.bif.zeek <...>/Zeek_POP3.events.bif.zeek
|
||||||
0.000000 | HookLoadFile ./Zeek_RADIUS.events.bif.zeek <...>/Zeek_RADIUS.events.bif.zeek
|
0.000000 | HookLoadFile ./Zeek_RADIUS.events.bif.zeek <...>/Zeek_RADIUS.events.bif.zeek
|
||||||
0.000000 | HookLoadFile ./Zeek_RDP.events.bif.zeek <...>/Zeek_RDP.events.bif.zeek
|
0.000000 | HookLoadFile ./Zeek_RDP.events.bif.zeek <...>/Zeek_RDP.events.bif.zeek
|
||||||
|
|
@ -2523,6 +2528,7 @@
|
||||||
0.000000 | HookLoadFileExtended ./Zeek_NetBIOS.functions.bif.zeek <...>/Zeek_NetBIOS.functions.bif.zeek
|
0.000000 | HookLoadFileExtended ./Zeek_NetBIOS.functions.bif.zeek <...>/Zeek_NetBIOS.functions.bif.zeek
|
||||||
0.000000 | HookLoadFileExtended ./Zeek_NoneWriter.none.bif.zeek <...>/Zeek_NoneWriter.none.bif.zeek
|
0.000000 | HookLoadFileExtended ./Zeek_NoneWriter.none.bif.zeek <...>/Zeek_NoneWriter.none.bif.zeek
|
||||||
0.000000 | HookLoadFileExtended ./Zeek_PE.events.bif.zeek <...>/Zeek_PE.events.bif.zeek
|
0.000000 | HookLoadFileExtended ./Zeek_PE.events.bif.zeek <...>/Zeek_PE.events.bif.zeek
|
||||||
|
0.000000 | HookLoadFileExtended ./Zeek_POP3.consts.bif.zeek <...>/Zeek_POP3.consts.bif.zeek
|
||||||
0.000000 | HookLoadFileExtended ./Zeek_POP3.events.bif.zeek <...>/Zeek_POP3.events.bif.zeek
|
0.000000 | HookLoadFileExtended ./Zeek_POP3.events.bif.zeek <...>/Zeek_POP3.events.bif.zeek
|
||||||
0.000000 | HookLoadFileExtended ./Zeek_RADIUS.events.bif.zeek <...>/Zeek_RADIUS.events.bif.zeek
|
0.000000 | HookLoadFileExtended ./Zeek_RADIUS.events.bif.zeek <...>/Zeek_RADIUS.events.bif.zeek
|
||||||
0.000000 | HookLoadFileExtended ./Zeek_RDP.events.bif.zeek <...>/Zeek_RDP.events.bif.zeek
|
0.000000 | HookLoadFileExtended ./Zeek_RDP.events.bif.zeek <...>/Zeek_RDP.events.bif.zeek
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,21 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
#separator \x09
|
||||||
|
#set_separator ,
|
||||||
|
#empty_field (empty)
|
||||||
|
#unset_field -
|
||||||
|
#path conn
|
||||||
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||||
|
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.0.4 26242 212.227.15.188 110 tcp - 0.050692 0 0 REJ T F 0 Sr 1 52 1 40 -
|
||||||
|
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.0.4 26242 212.227.15.188 110 tcp - 0.060847 0 0 REJ T F 0 Sr 1 52 1 40 -
|
||||||
|
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 192.168.0.4 26245 212.227.15.171 110 tcp - 0.050705 0 0 REJ T F 0 Sr 1 52 1 40 -
|
||||||
|
XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 192.168.0.4 26245 212.227.15.171 110 tcp - 0.050062 0 0 REJ T F 0 Sr 1 52 1 40 -
|
||||||
|
XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 192.168.0.4 26242 212.227.15.188 110 tcp - 0.050967 0 0 REJ T F 0 Sr 1 48 1 40 -
|
||||||
|
XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 192.168.0.4 26245 212.227.15.171 110 tcp - 0.047718 0 0 REJ T F 0 Sr 1 48 1 40 -
|
||||||
|
XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 192.168.0.4 26272 212.227.15.166 110 tcp pop3 0.163506 12 175 SF T F 0 ShAdDafF 6 264 6 427 -
|
||||||
|
XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 192.168.0.4 26284 212.227.15.166 110 tcp pop3 3.469839 86 205 SF T F 0 ShAdDafF 9 470 9 577 -
|
||||||
|
XXXXXXXXXX.XXXXXX C3eiCBGOLw3VtHfOj 192.168.0.4 26304 212.227.15.166 110 tcp pop3 0.206558 12 175 SF T F 0 ShAdDafF 6 264 6 427 -
|
||||||
|
XXXXXXXXXX.XXXXXX CwjjYJ2WqgTbAqiHl6 192.168.0.4 26308 212.227.15.166 110 tcp pop3 0.537230 96 297 SF T F 0 ShAdDafF 9 468 10 709 -
|
||||||
|
XXXXXXXXXX.XXXXXX C0LAHyvtKSQHyJxIl 192.168.0.4 26383 212.227.15.166 110 tcp pop3 1.213485 138 19651 SF T F 0 ShAdDafF 22 1030 30 20863 -
|
||||||
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
48
testing/btest/Baseline/scripts.base.protocols.pop3.basic/out
Normal file
48
testing/btest/Baseline/scripts.base.protocols.pop3.basic/out
Normal file
|
|
@ -0,0 +1,48 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
CP5puj4I8PtEU4qzYg, pop3_reply, F, OK, POP server ready H mimap4 0MHoUr-1VDxRD3Ui5-003eq2
|
||||||
|
CP5puj4I8PtEU4qzYg, pop3_request, T, CAPA,
|
||||||
|
CP5puj4I8PtEU4qzYg, pop3_reply, F, OK, Capability list follows
|
||||||
|
CP5puj4I8PtEU4qzYg, pop3_request, T, QUIT,
|
||||||
|
CP5puj4I8PtEU4qzYg, pop3_reply, F, OK, POP server signing off
|
||||||
|
C37jN32gN3y3AZzyf6, pop3_reply, F, OK, POP server ready H mimap8 0MHXFQ-1VDgSF1308-003NYq
|
||||||
|
C37jN32gN3y3AZzyf6, pop3_request, T, AUTH,
|
||||||
|
C37jN32gN3y3AZzyf6, pop3_reply, F, ERR, 1 argument required
|
||||||
|
C37jN32gN3y3AZzyf6, pop3_request, T, CAPA,
|
||||||
|
C37jN32gN3y3AZzyf6, pop3_reply, F, OK, Capability list follows
|
||||||
|
C37jN32gN3y3AZzyf6, pop3_request, T, AUTH, PLAIN
|
||||||
|
C37jN32gN3y3AZzyf6, pop3_reply, F, ERR, authentication failed
|
||||||
|
C3eiCBGOLw3VtHfOj, pop3_reply, F, OK, POP server ready H mimap9 0MK0or-1VBlin3ixZ-001RVN
|
||||||
|
C3eiCBGOLw3VtHfOj, pop3_request, T, CAPA,
|
||||||
|
C3eiCBGOLw3VtHfOj, pop3_reply, F, OK, Capability list follows
|
||||||
|
C3eiCBGOLw3VtHfOj, pop3_request, T, QUIT,
|
||||||
|
C3eiCBGOLw3VtHfOj, pop3_reply, F, OK, POP server signing off
|
||||||
|
CwjjYJ2WqgTbAqiHl6, pop3_reply, F, OK, POP server ready H mimap13 0MW5rZ-1VayeZ2jFp-00XVZd
|
||||||
|
CwjjYJ2WqgTbAqiHl6, pop3_request, T, AUTH,
|
||||||
|
CwjjYJ2WqgTbAqiHl6, pop3_reply, F, ERR, 1 argument required
|
||||||
|
CwjjYJ2WqgTbAqiHl6, pop3_request, T, CAPA,
|
||||||
|
CwjjYJ2WqgTbAqiHl6, pop3_reply, F, OK, Capability list follows
|
||||||
|
CwjjYJ2WqgTbAqiHl6, pop3_request, T, AUTH, PLAIN
|
||||||
|
CwjjYJ2WqgTbAqiHl6, pop3_reply, F, OK, mailbox "digitalinvestigator@networksims.com" has 3 messages (19191 octets) H mimap13
|
||||||
|
CwjjYJ2WqgTbAqiHl6, pop3_request, T, QUIT,
|
||||||
|
CwjjYJ2WqgTbAqiHl6, pop3_reply, F, OK, POP server signing off
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, POP server ready H mimap15 0LfD5x-1VsVU4327M-00pHSn
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_request, T, AUTH,
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_reply, F, ERR, 1 argument required
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_request, T, CAPA,
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, Capability list follows
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_request, T, AUTH, PLAIN
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, mailbox "digitalinvestigator@networksims.com" has 3 messages (19191 octets) H mimap15
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_request, T, STAT,
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, 3 19191
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_request, T, LIST,
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_reply, F, OK,
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_request, T, UIDL,
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_reply, F, OK,
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_request, T, RETR, 1
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_reply, F, OK,
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_request, T, RETR, 2
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_reply, F, OK,
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_request, T, RETR, 3
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_reply, F, OK,
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_request, T, QUIT,
|
||||||
|
C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, POP server signing off
|
||||||
|
|
@ -0,0 +1,16 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
#separator \x09
|
||||||
|
#set_separator ,
|
||||||
|
#empty_field (empty)
|
||||||
|
#unset_field -
|
||||||
|
#path analyzer
|
||||||
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
|
#fields ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data
|
||||||
|
#types time string string string string string addr port addr port string string
|
||||||
|
XXXXXXXXXX.XXXXXX violation protocol POP3 CHhAvVGS1DHFjwGM9 - 127.0.0.1 59954 127.0.0.1 6379 too many unknown client commands -
|
||||||
|
XXXXXXXXXX.XXXXXX violation protocol POP3 CHhAvVGS1DHFjwGM9 - 127.0.0.1 59954 127.0.0.1 6379 too many unknown client commands -
|
||||||
|
XXXXXXXXXX.XXXXXX violation protocol POP3 CHhAvVGS1DHFjwGM9 - 127.0.0.1 59954 127.0.0.1 6379 too many unknown client commands -
|
||||||
|
XXXXXXXXXX.XXXXXX violation protocol POP3 CHhAvVGS1DHFjwGM9 - 127.0.0.1 59954 127.0.0.1 6379 too many unknown client commands -
|
||||||
|
XXXXXXXXXX.XXXXXX violation protocol POP3 CHhAvVGS1DHFjwGM9 - 127.0.0.1 59954 127.0.0.1 6379 too many unknown client commands -
|
||||||
|
XXXXXXXXXX.XXXXXX violation protocol POP3 CHhAvVGS1DHFjwGM9 - 127.0.0.1 59954 127.0.0.1 6379 too many unknown client commands -
|
||||||
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
@ -0,0 +1,11 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
#separator \x09
|
||||||
|
#set_separator ,
|
||||||
|
#empty_field (empty)
|
||||||
|
#unset_field -
|
||||||
|
#path conn
|
||||||
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||||
|
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59954 127.0.0.1 6379 tcp - 0.002030 848 370 SF T T 0 ShADadfF 58 3872 58 3394 -
|
||||||
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
@ -0,0 +1,4 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
CHhAvVGS1DHFjwGM9, pop3_reply, F, OK,
|
||||||
|
CHhAvVGS1DHFjwGM9, pop3_request, T, AUTH,
|
||||||
|
CHhAvVGS1DHFjwGM9, pop3_reply, F, OK,
|
||||||
|
|
@ -0,0 +1,12 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
#separator \x09
|
||||||
|
#set_separator ,
|
||||||
|
#empty_field (empty)
|
||||||
|
#unset_field -
|
||||||
|
#path weird
|
||||||
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source
|
||||||
|
#types time string addr port addr port string string bool string string
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59954 127.0.0.1 6379 pop3_client_command_unknown *2 F zeek POP3
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59954 127.0.0.1 6379 pop3_client_too_many_pending_commands - F zeek POP3
|
||||||
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
@ -23,3 +23,6 @@ Trace Index/Sources:
|
||||||
https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
|
https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
|
||||||
- ldap/ldap_invalid_credentials.pcap
|
- ldap/ldap_invalid_credentials.pcap
|
||||||
Provided by Martin van Hensbergen in issue #3919.
|
Provided by Martin van Hensbergen in issue #3919.
|
||||||
|
- pop3/POP3.pcap: Picked up from POP tutorial on tranalyzer.com
|
||||||
|
https://tranalyzer.com/tutorial/pop
|
||||||
|
https://tranalyzer.com/download/data/pop3.pcap
|
||||||
|
|
|
||||||
BIN
testing/btest/Traces/pop3/pop3.pcap
Normal file
BIN
testing/btest/Traces/pop3/pop3.pcap
Normal file
Binary file not shown.
BIN
testing/btest/Traces/pop3/redis-50-pings.pcap
Normal file
BIN
testing/btest/Traces/pop3/redis-50-pings.pcap
Normal file
Binary file not shown.
20
testing/btest/scripts/base/protocols/pop3/basic.zeek
Normal file
20
testing/btest/scripts/base/protocols/pop3/basic.zeek
Normal file
|
|
@ -0,0 +1,20 @@
|
||||||
|
# @TEST-DOC: Ensure basic POP3 functionality.
|
||||||
|
# @TEST-EXEC: zeek -C -b -r $TRACES/pop3/pop3.pcap %INPUT >out
|
||||||
|
# @TEST-EXEC: btest-diff conn.log
|
||||||
|
# @TEST-EXEC: btest-diff out
|
||||||
|
# @TEST-EXEC: test ! -f weird.log
|
||||||
|
# @TEST-EXEC: test ! -f analyzer.log
|
||||||
|
|
||||||
|
@load base/frameworks/notice/weird
|
||||||
|
@load base/protocols/conn
|
||||||
|
@load base/protocols/pop3
|
||||||
|
|
||||||
|
event pop3_request(c: connection, is_orig: bool, cmd: string, arg: string)
|
||||||
|
{
|
||||||
|
print c$uid, "pop3_request", is_orig, cmd, arg;
|
||||||
|
}
|
||||||
|
|
||||||
|
event pop3_reply(c: connection, is_orig: bool, cmd: string, arg: string)
|
||||||
|
{
|
||||||
|
print c$uid, "pop3_reply", is_orig, cmd, arg;
|
||||||
|
}
|
||||||
20
testing/btest/scripts/base/protocols/pop3/redis.zeek
Normal file
20
testing/btest/scripts/base/protocols/pop3/redis.zeek
Normal file
|
|
@ -0,0 +1,20 @@
|
||||||
|
# @TEST-DOC: The POP3 signature triggered on Redis traffic. Ensure the analyzer is eventually removed to avoid.
|
||||||
|
# @TEST-EXEC: zeek -C -b -r $TRACES/pop3/redis-50-pings.pcap %INPUT >out
|
||||||
|
# @TEST-EXEC: btest-diff conn.log
|
||||||
|
# @TEST-EXEC: btest-diff out
|
||||||
|
# @TEST-EXEC: btest-diff weird.log
|
||||||
|
# @TEST-EXEC: btest-diff analyzer.log
|
||||||
|
|
||||||
|
@load base/frameworks/notice/weird
|
||||||
|
@load base/protocols/conn
|
||||||
|
@load base/protocols/pop3
|
||||||
|
|
||||||
|
event pop3_request(c: connection, is_orig: bool, cmd: string, arg: string)
|
||||||
|
{
|
||||||
|
print c$uid, "pop3_request", is_orig, cmd, arg;
|
||||||
|
}
|
||||||
|
|
||||||
|
event pop3_reply(c: connection, is_orig: bool, cmd: string, arg: string)
|
||||||
|
{
|
||||||
|
print c$uid, "pop3_reply", is_orig, cmd, arg;
|
||||||
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue