smtp: Validate mail transaction and disable SMTP analyzer if excessive

An invalid mail transaction is determined as * RCPT TO command without a preceding MAIL FROM * a DATA command without a preceding RCPT TO and logged as a weird. The testing pcap for invalid mail transactions was produced with a Python script against a local exim4 configured to accept more errors and unknown commands than 3 by default: # exim4.conf.template smtp_max_synprot_errors = 100 smtp_max_unknown_commands = 100 See also: https://www.rfc-editor.org/rfc/rfc5321#section-3.3
2025-10-14 12:38:20 +00:00 · 2023-03-23 17:13:52 +01:00 · 2023-03-23 17:13:52 +01:00 · b8dc6ad120
commit b8dc6ad120
parent 0eccd8a7a2
14 changed files with 1649 additions and 1506 deletions
--- a/testing/btest/scripts/base/protocols/smtp/mail-transactions-invalid-disable-analyzer.zeek
+++ b/testing/btest/scripts/base/protocols/smtp/mail-transactions-invalid-disable-analyzer.zeek
@ -0,0 +1,13 @@
+# @TEST-EXEC: zeek -b -r $TRACES/smtp-mail-transactions-invalid.pcap %INPUT > out
+# @TEST-EXEC: btest-diff smtp.log
+# @TEST-EXEC: btest-diff weird.log
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/smtp
+
+redef SMTP::max_invalid_mail_transactions = 2;
+
+hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count)
+	{
+	print network_time(), "disabling_analyzer", c$uid, atype, aid;
+	}