btest/pop3: Add somewhat more elaborate testing

PCAP taken from here: https://tranalyzer.com/tutorial/pop and reference added to Traces/README.
2025-10-02 06:38:20 +00:00 · 2024-09-18 14:05:43 +02:00 · 2024-09-18 14:05:43 +02:00 · b4fdce8d5b
commit b4fdce8d5b
parent 5a26a39d06
5 changed files with 92 additions and 0 deletions
--- a/testing/btest/Baseline/scripts.base.protocols.pop3.basic/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.pop3.basic/conn.log
@ -0,0 +1,21 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.0.4	26242	212.227.15.188	110	tcp	-	0.050692	0	0	REJ	T	F	0	Sr	1	52	1	40	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.0.4	26242	212.227.15.188	110	tcp	-	0.060847	0	0	REJ	T	F	0	Sr	1	52	1	40	-
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	192.168.0.4	26245	212.227.15.171	110	tcp	-	0.050705	0	0	REJ	T	F	0	Sr	1	52	1	40	-
+XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	192.168.0.4	26245	212.227.15.171	110	tcp	-	0.050062	0	0	REJ	T	F	0	Sr	1	52	1	40	-
+XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	192.168.0.4	26242	212.227.15.188	110	tcp	-	0.050967	0	0	REJ	T	F	0	Sr	1	48	1	40	-
+XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	192.168.0.4	26245	212.227.15.171	110	tcp	-	0.047718	0	0	REJ	T	F	0	Sr	1	48	1	40	-
+XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	192.168.0.4	26272	212.227.15.166	110	tcp	pop3	0.163506	12	175	SF	T	F	0	ShAdDafF	6	264	6	427	-
+XXXXXXXXXX.XXXXXX	C37jN32gN3y3AZzyf6	192.168.0.4	26284	212.227.15.166	110	tcp	pop3	3.469839	86	205	SF	T	F	0	ShAdDafF	9	470	9	577	-
+XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	192.168.0.4	26304	212.227.15.166	110	tcp	pop3	0.206558	12	175	SF	T	F	0	ShAdDafF	6	264	6	427	-
+XXXXXXXXXX.XXXXXX	CwjjYJ2WqgTbAqiHl6	192.168.0.4	26308	212.227.15.166	110	tcp	pop3	0.537230	96	297	SF	T	F	0	ShAdDafF	9	468	10	709	-
+XXXXXXXXXX.XXXXXX	C0LAHyvtKSQHyJxIl	192.168.0.4	26383	212.227.15.166	110	tcp	pop3	1.213485	138	19651	SF	T	F	0	ShAdDafF	22	1030	30	20863	-
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.pop3.basic/out
+++ b/testing/btest/Baseline/scripts.base.protocols.pop3.basic/out
@ -0,0 +1,48 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+CP5puj4I8PtEU4qzYg, pop3_reply, F, OK, POP server ready H mimap4 0MHoUr-1VDxRD3Ui5-003eq2
+CP5puj4I8PtEU4qzYg, pop3_request, T, CAPA, 
+CP5puj4I8PtEU4qzYg, pop3_reply, F, OK, Capability list follows
+CP5puj4I8PtEU4qzYg, pop3_request, T, QUIT, 
+CP5puj4I8PtEU4qzYg, pop3_reply, F, OK, POP server signing off
+C37jN32gN3y3AZzyf6, pop3_reply, F, OK, POP server ready H mimap8 0MHXFQ-1VDgSF1308-003NYq
+C37jN32gN3y3AZzyf6, pop3_request, T, AUTH, 
+C37jN32gN3y3AZzyf6, pop3_reply, F, ERR, 1 argument required
+C37jN32gN3y3AZzyf6, pop3_request, T, CAPA, 
+C37jN32gN3y3AZzyf6, pop3_reply, F, OK, Capability list follows
+C37jN32gN3y3AZzyf6, pop3_request, T, AUTH, PLAIN
+C37jN32gN3y3AZzyf6, pop3_reply, F, ERR, authentication failed
+C3eiCBGOLw3VtHfOj, pop3_reply, F, OK, POP server ready H mimap9 0MK0or-1VBlin3ixZ-001RVN
+C3eiCBGOLw3VtHfOj, pop3_request, T, CAPA, 
+C3eiCBGOLw3VtHfOj, pop3_reply, F, OK, Capability list follows
+C3eiCBGOLw3VtHfOj, pop3_request, T, QUIT, 
+C3eiCBGOLw3VtHfOj, pop3_reply, F, OK, POP server signing off
+CwjjYJ2WqgTbAqiHl6, pop3_reply, F, OK, POP server ready H mimap13 0MW5rZ-1VayeZ2jFp-00XVZd
+CwjjYJ2WqgTbAqiHl6, pop3_request, T, AUTH, 
+CwjjYJ2WqgTbAqiHl6, pop3_reply, F, ERR, 1 argument required
+CwjjYJ2WqgTbAqiHl6, pop3_request, T, CAPA, 
+CwjjYJ2WqgTbAqiHl6, pop3_reply, F, OK, Capability list follows
+CwjjYJ2WqgTbAqiHl6, pop3_request, T, AUTH, PLAIN
+CwjjYJ2WqgTbAqiHl6, pop3_reply, F, OK, mailbox "digitalinvestigator@networksims.com" has 3 messages (19191 octets) H mimap13
+CwjjYJ2WqgTbAqiHl6, pop3_request, T, QUIT, 
+CwjjYJ2WqgTbAqiHl6, pop3_reply, F, OK, POP server signing off
+C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, POP server ready H mimap15 0LfD5x-1VsVU4327M-00pHSn
+C0LAHyvtKSQHyJxIl, pop3_request, T, AUTH, 
+C0LAHyvtKSQHyJxIl, pop3_reply, F, ERR, 1 argument required
+C0LAHyvtKSQHyJxIl, pop3_request, T, CAPA, 
+C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, Capability list follows
+C0LAHyvtKSQHyJxIl, pop3_request, T, AUTH, PLAIN
+C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, mailbox "digitalinvestigator@networksims.com" has 3 messages (19191 octets) H mimap15
+C0LAHyvtKSQHyJxIl, pop3_request, T, STAT, 
+C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, 3 19191
+C0LAHyvtKSQHyJxIl, pop3_request, T, LIST, 
+C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, 
+C0LAHyvtKSQHyJxIl, pop3_request, T, UIDL, 
+C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, 
+C0LAHyvtKSQHyJxIl, pop3_request, T, RETR, 1
+C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, 
+C0LAHyvtKSQHyJxIl, pop3_request, T, RETR, 2
+C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, 
+C0LAHyvtKSQHyJxIl, pop3_request, T, RETR, 3
+C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, 
+C0LAHyvtKSQHyJxIl, pop3_request, T, QUIT, 
+C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, POP server signing off
--- a/testing/btest/Traces/README
+++ b/testing/btest/Traces/README
@ -29,3 +29,6 @@ Trace Index/Sources:
 - dns/dynamic-update.pcap: : Harvested from CTU-SME-11
  (Experiment-VM-Microsoft-Windows7AD-1) dataset, filtering on tcp port 53.
  https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
+- pop3/POP3.pcap: Picked up from POP tutorial on tranalyzer.com
+  https://tranalyzer.com/tutorial/pop
+  https://tranalyzer.com/download/data/pop3.pcap
--- a/testing/btest/Traces/pop3/pop3.pcap
+++ b/testing/btest/Traces/pop3/pop3.pcap
--- a/testing/btest/scripts/base/protocols/pop3/basic.zeek
+++ b/testing/btest/scripts/base/protocols/pop3/basic.zeek
@ -0,0 +1,20 @@
+# @TEST-DOC: Ensure basic POP3 functionality.
+# @TEST-EXEC: zeek -C -b -r $TRACES/pop3/pop3.pcap %INPUT >out
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: test ! -f weird.log
+# @TEST-EXEC: test ! -f analyzer.log
+
+@load base/frameworks/notice/weird
+@load base/protocols/conn
+@load base/protocols/pop3
+
+event pop3_request(c: connection, is_orig: bool, cmd: string, arg: string)
+	{
+	print c$uid, "pop3_request", is_orig, cmd, arg;
+	}
+
+event pop3_reply(c: connection, is_orig: bool, cmd: string, arg: string)
+	{
+	print c$uid, "pop3_reply", is_orig, cmd, arg;
+	}