Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

ftp: Do not log non-pending commands

Browse source 
OSS Fuzz generated a CWD request and reply followed by very many EPRT
requests. This caused Zeek to re-log the CWD request and invoke `build_url_ftp()`
over and over again resulting in long processing times.

Avoid this scenario by not logging commands that aren't pending anymore.

(cherry picked from commit b05dd31667ff634ec7d017f09d122f05878fdf65)
This commit is contained in:
Arne Welzel 2023-08-31 12:39:00 +02:00 committed by Tim Wojtulewicz
parent f6e7ea43c3
commit b2c40a22cb
2 changed files with 2 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/base/protocols/ftp/main.zeek
View file

@ -261,8 +261,8 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5
# attackers. # attackers.
if ( c?$ftp && c$ftp?$cmdarg && c$ftp?$reply_code ) if ( c?$ftp && c$ftp?$cmdarg && c$ftp?$reply_code )
{ {
remove_pending_cmd(c$ftp$pending_commands, c$ftp$cmdarg); if ( remove_pending_cmd(c$ftp$pending_commands, c$ftp$cmdarg) )
ftp_message(c); ftp_message(c);
} }
local id = c$id; local id = c$id;

1
testing/btest/Baseline/scripts.base.protocols.ftp.ftp-get-file-size/ftp.log
View file

@ -8,7 +8,6 @@
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type file_size reply_code reply_msg data_channel.passive data_channel.orig_h data_channel.resp_h data_channel.resp_p fuid #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type file_size reply_code reply_msg data_channel.passive data_channel.orig_h data_channel.resp_h data_channel.resp_p fuid
#types time string addr port addr port string string string string string count count string bool addr addr port string #types time string addr port addr port string string string string string count count string bool addr addr port string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.21.95 54089 164.107.123.6 21 <unknown> - PASV - - - 227 Entering Passive Mode (164,107,123,6,183,187) T 192.168.21.95 164.107.123.6 47035 - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.21.95 54089 164.107.123.6 21 <unknown> - PASV - - - 227 Entering Passive Mode (164,107,123,6,183,187) T 192.168.21.95 164.107.123.6 47035 -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.21.95 54089 164.107.123.6 21 <unknown> - PASV - - - 227 Entering Passive Mode (164,107,123,6,183,187) - - - - -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.21.95 54089 164.107.123.6 21 <unknown> - PASV - - - 227 Entering Passive Mode (164,107,123,6,183,231) T 192.168.21.95 164.107.123.6 47079 FzwelK1cvu4OroNgn2 XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.21.95 54089 164.107.123.6 21 <unknown> - PASV - - - 227 Entering Passive Mode (164,107,123,6,183,231) T 192.168.21.95 164.107.123.6 47079 FzwelK1cvu4OroNgn2
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.21.95 54089 164.107.123.6 21 <unknown> - PASV - - - 227 Entering Passive Mode (164,107,123,6,183,211) T 192.168.21.95 164.107.123.6 47059 F9FJGR2omqil0TrC4l XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.21.95 54089 164.107.123.6 21 <unknown> - PASV - - - 227 Entering Passive Mode (164,107,123,6,183,211) T 192.168.21.95 164.107.123.6 47059 F9FJGR2omqil0TrC4l
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.21.95 54089 164.107.123.6 21 <unknown> - PASV - - - 227 Entering Passive Mode (164,107,123,6,183,197) T 192.168.21.95 164.107.123.6 47045 FbSjjXYPAIpF2a1F8 XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.21.95 54089 164.107.123.6 21 <unknown> - PASV - - - 227 Entering Passive Mode (164,107,123,6,183,197) T 192.168.21.95 164.107.123.6 47045 FbSjjXYPAIpF2a1F8