Merge remote-tracking branch 'origin/topic/awelzel/3936-pop3-and-redis'

* origin/topic/awelzel/3936-pop3-and-redis:
  pop3: Remove unused headers
  pop3: Prevent unbounded state growth
  btest/pop3: Add somewhat more elaborate testing

(cherry picked from commit 702fb031a4)

CHANGES

@@ -1,3 +1,30 @@
+6.0.6-1 | 2024-09-23 12:45:07 -0700
+
+  * pop3: Remove unused headers (Arne Welzel, Corelight)
+
+    (cherry picked from commit 702fb031a4ea2b00364d6a7321384a45551ce3a2)
+
+  * pop3: Prevent unbounded state growth (Arne Welzel, Corelight)
+
+    The cmds list may grow unbounded due to the POP3 analyzer being in
+    multiLine mode after seeing `AUTH` in a Redis connection, but never
+    a `.` terminator. This can easily be provoked by the Redis ping
+    command.
+
+    This adds two heuristics: 1) Forcefully process the oldest commands in
+    the cmds list and cap it at max_pending_commands. 2) Start raising
+    analyzer violations if the client has been using more than
+    max_unknown_client_commands commands (default 10).
+
+    (cherry picked from commit 702fb031a4ea2b00364d6a7321384a45551ce3a2)
+
+  * btest/pop3: Add somewhat more elaborate testing (Arne Welzel, Corelight)
+
+    PCAP taken from here: https://tranalyzer.com/tutorial/pop and reference
+    added to Traces/README.
+
+    (cherry picked from commit 702fb031a4ea2b00364d6a7321384a45551ce3a2)
+
 6.0.6 | 2024-09-03 14:46:02 -0700
 
   * CI: Fix centos-7 Dockerfile to replace obsolete yum repos (Tim Wojtulewicz)

VERSION

@@ -1 +1 @@
-6.0.6
+6.0.6-1

scripts/base/init-bare.zeek

@@ -2793,6 +2793,22 @@ export {
 
 } # end export
 
+module POP3;
+
+export {
+	## How many commands a POP3 client may have pending
+	## before Zeek forcefully removes the oldest.
+	##
+	## Setting this value to 0 removes the limit.
+	const max_pending_commands = 10 &redef;
+
+	## How many invalid commands a POP3 client may use
+	## before Zeek starts raising analyzer violations.
+	##
+	## Setting this value to 0 removes the limit.
+	const max_unknown_client_commands = 10 &redef;
+
+} # end export
 
 module Threading;
 

src/analyzer/protocol/pop3/CMakeLists.txt

@@ -5,4 +5,5 @@ zeek_add_plugin(
     POP3.cc
     Plugin.cc
     BIFS
+    consts.bif
     events.bif)

src/analyzer/protocol/pop3/POP3.cc

@@ -3,8 +3,6 @@
 
 #include "zeek/analyzer/protocol/pop3/POP3.h"
 
-#include "zeek/zeek-config.h"
-
 #include <cctype>
 #include <string>
 #include <vector>
@@ -12,6 +10,7 @@
 #include "zeek/Base64.h"
 #include "zeek/Reporter.h"
 #include "zeek/analyzer/Manager.h"
+#include "zeek/analyzer/protocol/pop3/consts.bif.h"
 #include "zeek/analyzer/protocol/pop3/events.bif.h"
 
 namespace zeek::analyzer::pop3
@@ -44,6 +43,7 @@ POP3_Analyzer::POP3_Analyzer(Connection* conn)
 	authLines = 0;
 
 	mail = nullptr;
+	unknown_client_cmds = 0;
 
 	cl_orig = new analyzer::tcp::ContentLine_Analyzer(conn, true);
 	AddSupportAnalyzer(cl_orig);
@@ -226,6 +226,23 @@ void POP3_Analyzer::ProcessRequest(int length, const char* line)
 		// keep a list of pending commands.
 		cmds.push_back(std::string(line));
 
+		// Prevent unbounded state growth of cmds if there are no matching
+		// server replies by just processing commands even if we didn't see
+		// the server response.
+		//
+		// This may be caused by packet drops, one-sided traffic, analyzing
+		// the wrong protocol (Redis), etc.
+		if ( zeek::BifConst::POP3::max_pending_commands > 0 )
+			{
+			if ( cmds.size() > zeek::BifConst::POP3::max_pending_commands )
+				{
+				Weird("pop3_client_too_many_pending_commands");
+
+				ProcessClientCmd();
+				cmds.pop_front();
+				}
+			}
+
 		if ( cmds.size() == 1 )
 			// Not waiting for another server response,
 			// so we can process it immediately.
@@ -261,10 +278,20 @@ void POP3_Analyzer::ProcessClientCmd()
 		{
 		if ( ! waitingForAuthentication )
 			{
-			Weird("pop3_client_command_unknown");
+			Weird("pop3_client_command_unknown", (tokens.size() > 0 ? tokens[0].c_str() : "???"));
 			if ( subState == detail::POP3_WOK )
 				subState = detail::POP3_OK;
+
+			++unknown_client_cmds;
+			if ( zeek::BifConst::POP3::max_unknown_client_commands > 0 )
+				{
+				if ( unknown_client_cmds > zeek::BifConst::POP3::max_unknown_client_commands )
+					{
+					AnalyzerViolation("too many unknown client commands");
+					}
+				}
 			}
+
 		return;
 		}
 
@@ -333,6 +360,7 @@ void POP3_Analyzer::ProcessClientCmd()
 				POP3Event(pop3_request, true, cmd, message);
 				if ( ! *message )
 					{
+					// This is the client requesting a list of AUTH mechanisms available.
 					requestForMultiLine = true;
 					state = detail::AUTH;
 					subState = detail::POP3_WOK;
@@ -629,10 +657,15 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
 			                            (tokens.size() > 0 ? tokens[0].c_str() : "???")),
 			                  line, length);
 
-			Weird("pop3_server_command_unknown");
+			Weird("pop3_server_command_unknown", (tokens.size() > 0 ? tokens[0].c_str() : "???"));
 			if ( subState == detail::POP3_WOK )
 				subState = detail::POP3_OK;
+
+			// If we're not in state AUTH and receive "some" response,
+			// assume it was for the last command from the client.
+			FinishClientCmd();
 			}
+
 		return;
 		}
 

src/analyzer/protocol/pop3/POP3.h

@@ -4,11 +4,9 @@
 
 #pragma once
 
-#include <algorithm>
 #include <string>
 #include <vector>
 
-#include "zeek/analyzer/protocol/login/NVT.h"
 #include "zeek/analyzer/protocol/mime/MIME.h"
 #include "zeek/analyzer/protocol/tcp/ContentLine.h"
 #include "zeek/analyzer/protocol/tcp/TCP.h"
@@ -79,7 +77,10 @@ public:
 	void Done() override;
 	void DeliverStream(int len, const u_char* data, bool orig) override;
 
-	static analyzer::Analyzer* Instantiate(Connection* conn) { return new POP3_Analyzer(conn); }
+	static analyzer::Analyzer* Instantiate(Connection* conn)
+		{
+		return new POP3_Analyzer(conn);
+		}
 
 protected:
 	int masterState;
@@ -114,6 +115,7 @@ protected:
 
 	analyzer::mime::MIME_Mail* mail;
 	std::list<std::string> cmds;
+	zeek_uint_t unknown_client_cmds;
 
 private:
 	bool tls;

src/analyzer/protocol/pop3/consts.bif

@@ -0,0 +1,2 @@
+const POP3::max_pending_commands: count;
+const POP3::max_unknown_client_commands: count;

testing/btest/Baseline/core.max-analyzer-violations/weird.log

@@ -7,7 +7,7 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
 #types	time	string	addr	port	addr	port	string	string	bool	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58246	127.0.0.1	110	pop3_server_command_unknown	-	F	zeek	POP3
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58246	127.0.0.1	110	pop3_server_command_unknown	+	F	zeek	POP3
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58246	127.0.0.1	110	line_terminated_with_single_CR	-	F	zeek	CONTENTLINE
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58246	127.0.0.1	110	too_many_analyzer_violations	-	F	zeek	POP3
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -187,6 +187,7 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_NTP.types.bif.zeek
     build/scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_POP3.consts.bif.zeek
     build/scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -187,6 +187,7 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_NTP.types.bif.zeek
     build/scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_POP3.consts.bif.zeek
     build/scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek

testing/btest/Baseline/plugins.hooks/output

@@ -894,6 +894,7 @@
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) -> -1
@@ -1285,6 +1286,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) -> (-1, <no content>)
@@ -2519,6 +2521,7 @@
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek)
@@ -2910,6 +2913,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek)
@@ -4143,6 +4147,7 @@
 0.000000 | HookLoadFile  ./Zeek_NetBIOS.functions.bif.zeek <...>/Zeek_NetBIOS.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_NoneWriter.none.bif.zeek <...>/Zeek_NoneWriter.none.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_PE.events.bif.zeek <...>/Zeek_PE.events.bif.zeek
+0.000000 | HookLoadFile  ./Zeek_POP3.consts.bif.zeek <...>/Zeek_POP3.consts.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_POP3.events.bif.zeek <...>/Zeek_POP3.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_RADIUS.events.bif.zeek <...>/Zeek_RADIUS.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_RDP.events.bif.zeek <...>/Zeek_RDP.events.bif.zeek
@@ -4534,6 +4539,7 @@
 0.000000 | HookLoadFileExtended ./Zeek_NetBIOS.functions.bif.zeek <...>/Zeek_NetBIOS.functions.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_NoneWriter.none.bif.zeek <...>/Zeek_NoneWriter.none.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_PE.events.bif.zeek <...>/Zeek_PE.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_POP3.consts.bif.zeek <...>/Zeek_POP3.consts.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_POP3.events.bif.zeek <...>/Zeek_POP3.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_RADIUS.events.bif.zeek <...>/Zeek_RADIUS.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_RDP.events.bif.zeek <...>/Zeek_RDP.events.bif.zeek

testing/btest/Baseline/scripts.base.protocols.pop3.basic/conn.log

@@ -0,0 +1,21 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.0.4	26242	212.227.15.188	110	tcp	-	0.050692	0	0	REJ	T	F	0	Sr	1	52	1	40	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.0.4	26242	212.227.15.188	110	tcp	-	0.060847	0	0	REJ	T	F	0	Sr	1	52	1	40	-
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	192.168.0.4	26245	212.227.15.171	110	tcp	-	0.050705	0	0	REJ	T	F	0	Sr	1	52	1	40	-
+XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	192.168.0.4	26245	212.227.15.171	110	tcp	-	0.050062	0	0	REJ	T	F	0	Sr	1	52	1	40	-
+XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	192.168.0.4	26242	212.227.15.188	110	tcp	-	0.050967	0	0	REJ	T	F	0	Sr	1	48	1	40	-
+XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	192.168.0.4	26245	212.227.15.171	110	tcp	-	0.047718	0	0	REJ	T	F	0	Sr	1	48	1	40	-
+XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	192.168.0.4	26272	212.227.15.166	110	tcp	pop3	0.163506	12	175	SF	T	F	0	ShAdDafF	6	264	6	427	-
+XXXXXXXXXX.XXXXXX	C37jN32gN3y3AZzyf6	192.168.0.4	26284	212.227.15.166	110	tcp	pop3	3.469839	86	205	SF	T	F	0	ShAdDafF	9	470	9	577	-
+XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	192.168.0.4	26304	212.227.15.166	110	tcp	pop3	0.206558	12	175	SF	T	F	0	ShAdDafF	6	264	6	427	-
+XXXXXXXXXX.XXXXXX	CwjjYJ2WqgTbAqiHl6	192.168.0.4	26308	212.227.15.166	110	tcp	pop3	0.537230	96	297	SF	T	F	0	ShAdDafF	9	468	10	709	-
+XXXXXXXXXX.XXXXXX	C0LAHyvtKSQHyJxIl	192.168.0.4	26383	212.227.15.166	110	tcp	pop3	1.213485	138	19651	SF	T	F	0	ShAdDafF	22	1030	30	20863	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.pop3.basic/out

@@ -0,0 +1,48 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+CP5puj4I8PtEU4qzYg, pop3_reply, F, OK, POP server ready H mimap4 0MHoUr-1VDxRD3Ui5-003eq2
+CP5puj4I8PtEU4qzYg, pop3_request, T, CAPA, 
+CP5puj4I8PtEU4qzYg, pop3_reply, F, OK, Capability list follows
+CP5puj4I8PtEU4qzYg, pop3_request, T, QUIT, 
+CP5puj4I8PtEU4qzYg, pop3_reply, F, OK, POP server signing off
+C37jN32gN3y3AZzyf6, pop3_reply, F, OK, POP server ready H mimap8 0MHXFQ-1VDgSF1308-003NYq
+C37jN32gN3y3AZzyf6, pop3_request, T, AUTH, 
+C37jN32gN3y3AZzyf6, pop3_reply, F, ERR, 1 argument required
+C37jN32gN3y3AZzyf6, pop3_request, T, CAPA, 
+C37jN32gN3y3AZzyf6, pop3_reply, F, OK, Capability list follows
+C37jN32gN3y3AZzyf6, pop3_request, T, AUTH, PLAIN
+C37jN32gN3y3AZzyf6, pop3_reply, F, ERR, authentication failed
+C3eiCBGOLw3VtHfOj, pop3_reply, F, OK, POP server ready H mimap9 0MK0or-1VBlin3ixZ-001RVN
+C3eiCBGOLw3VtHfOj, pop3_request, T, CAPA, 
+C3eiCBGOLw3VtHfOj, pop3_reply, F, OK, Capability list follows
+C3eiCBGOLw3VtHfOj, pop3_request, T, QUIT, 
+C3eiCBGOLw3VtHfOj, pop3_reply, F, OK, POP server signing off
+CwjjYJ2WqgTbAqiHl6, pop3_reply, F, OK, POP server ready H mimap13 0MW5rZ-1VayeZ2jFp-00XVZd
+CwjjYJ2WqgTbAqiHl6, pop3_request, T, AUTH, 
+CwjjYJ2WqgTbAqiHl6, pop3_reply, F, ERR, 1 argument required
+CwjjYJ2WqgTbAqiHl6, pop3_request, T, CAPA, 
+CwjjYJ2WqgTbAqiHl6, pop3_reply, F, OK, Capability list follows
+CwjjYJ2WqgTbAqiHl6, pop3_request, T, AUTH, PLAIN
+CwjjYJ2WqgTbAqiHl6, pop3_reply, F, OK, mailbox "digitalinvestigator@networksims.com" has 3 messages (19191 octets) H mimap13
+CwjjYJ2WqgTbAqiHl6, pop3_request, T, QUIT, 
+CwjjYJ2WqgTbAqiHl6, pop3_reply, F, OK, POP server signing off
+C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, POP server ready H mimap15 0LfD5x-1VsVU4327M-00pHSn
+C0LAHyvtKSQHyJxIl, pop3_request, T, AUTH, 
+C0LAHyvtKSQHyJxIl, pop3_reply, F, ERR, 1 argument required
+C0LAHyvtKSQHyJxIl, pop3_request, T, CAPA, 
+C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, Capability list follows
+C0LAHyvtKSQHyJxIl, pop3_request, T, AUTH, PLAIN
+C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, mailbox "digitalinvestigator@networksims.com" has 3 messages (19191 octets) H mimap15
+C0LAHyvtKSQHyJxIl, pop3_request, T, STAT, 
+C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, 3 19191
+C0LAHyvtKSQHyJxIl, pop3_request, T, LIST, 
+C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, 
+C0LAHyvtKSQHyJxIl, pop3_request, T, UIDL, 
+C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, 
+C0LAHyvtKSQHyJxIl, pop3_request, T, RETR, 1
+C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, 
+C0LAHyvtKSQHyJxIl, pop3_request, T, RETR, 2
+C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, 
+C0LAHyvtKSQHyJxIl, pop3_request, T, RETR, 3
+C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, 
+C0LAHyvtKSQHyJxIl, pop3_request, T, QUIT, 
+C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, POP server signing off

testing/btest/Baseline/scripts.base.protocols.pop3.redis/analyzer.log

@@ -0,0 +1,16 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	analyzer
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	cause	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	failure_reason	failure_data
+#types	time	string	string	string	string	string	addr	port	addr	port	string	string
+XXXXXXXXXX.XXXXXX	violation	protocol	POP3	CHhAvVGS1DHFjwGM9	-	127.0.0.1	59954	127.0.0.1	6379	too many unknown client commands	-
+XXXXXXXXXX.XXXXXX	violation	protocol	POP3	CHhAvVGS1DHFjwGM9	-	127.0.0.1	59954	127.0.0.1	6379	too many unknown client commands	-
+XXXXXXXXXX.XXXXXX	violation	protocol	POP3	CHhAvVGS1DHFjwGM9	-	127.0.0.1	59954	127.0.0.1	6379	too many unknown client commands	-
+XXXXXXXXXX.XXXXXX	violation	protocol	POP3	CHhAvVGS1DHFjwGM9	-	127.0.0.1	59954	127.0.0.1	6379	too many unknown client commands	-
+XXXXXXXXXX.XXXXXX	violation	protocol	POP3	CHhAvVGS1DHFjwGM9	-	127.0.0.1	59954	127.0.0.1	6379	too many unknown client commands	-
+XXXXXXXXXX.XXXXXX	violation	protocol	POP3	CHhAvVGS1DHFjwGM9	-	127.0.0.1	59954	127.0.0.1	6379	too many unknown client commands	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.pop3.redis/conn.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	59954	127.0.0.1	6379	tcp	-	0.002030	848	370	SF	T	T	0	ShADadfF	58	3872	58	3394	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.pop3.redis/out

@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+CHhAvVGS1DHFjwGM9, pop3_reply, F, OK, 
+CHhAvVGS1DHFjwGM9, pop3_request, T, AUTH, 
+CHhAvVGS1DHFjwGM9, pop3_reply, F, OK, 

testing/btest/Baseline/scripts.base.protocols.pop3.redis/weird.log

@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	59954	127.0.0.1	6379	pop3_client_command_unknown	*2	F	zeek	POP3
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	59954	127.0.0.1	6379	pop3_client_too_many_pending_commands	-	F	zeek	POP3
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Traces/README

@@ -3,3 +3,9 @@ These are the trace files that are used by the Zeek test suite.
 Note to maintainers: please take care when modifying/removing files from here.
 We install these traces with the Zeek distribution and external packages might
 depend on them for tests.
+
+Trace Index/Sources:
+
+- pop3/POP3.pcap: Picked up from POP tutorial on tranalyzer.com
+  https://tranalyzer.com/tutorial/pop
+  https://tranalyzer.com/download/data/pop3.pcap

testing/btest/scripts/base/protocols/pop3/basic.zeek

@@ -0,0 +1,20 @@
+# @TEST-DOC: Ensure basic POP3 functionality.
+# @TEST-EXEC: zeek -C -b -r $TRACES/pop3/pop3.pcap %INPUT >out
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: test ! -f weird.log
+# @TEST-EXEC: test ! -f analyzer.log
+
+@load base/frameworks/notice/weird
+@load base/protocols/conn
+@load base/protocols/pop3
+
+event pop3_request(c: connection, is_orig: bool, cmd: string, arg: string)
+	{
+	print c$uid, "pop3_request", is_orig, cmd, arg;
+	}
+
+event pop3_reply(c: connection, is_orig: bool, cmd: string, arg: string)
+	{
+	print c$uid, "pop3_reply", is_orig, cmd, arg;
+	}

testing/btest/scripts/base/protocols/pop3/redis.zeek

@@ -0,0 +1,20 @@
+# @TEST-DOC: The POP3 signature triggered on Redis traffic. Ensure the analyzer is eventually removed to avoid.
+# @TEST-EXEC: zeek -C -b -r $TRACES/pop3/redis-50-pings.pcap %INPUT >out
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff weird.log
+# @TEST-EXEC: btest-diff analyzer.log
+
+@load base/frameworks/notice/weird
+@load base/protocols/conn
+@load base/protocols/pop3
+
+event pop3_request(c: connection, is_orig: bool, cmd: string, arg: string)
+	{
+	print c$uid, "pop3_request", is_orig, cmd, arg;
+	}
+
+event pop3_reply(c: connection, is_orig: bool, cmd: string, arg: string)
+	{
+	print c$uid, "pop3_reply", is_orig, cmd, arg;
+	}