pop3: Prevent unbounded state growth

The cmds list may grow unbounded due to the POP3 analyzer being in multiLine mode after seeing `AUTH` in a Redis connection, but never a `.` terminator. This can easily be provoked by the Redis ping command. This adds two heuristics: 1) Forcefully process the oldest commands in the cmds list and cap it at max_pending_commands. 2) Start raising analyzer violations if the client has been using more than max_unknown_client_commands commands (default 10). Closes #3936
2025-10-13 03:58:20 +00:00 · 2024-09-18 17:31:58 +02:00 · 2024-09-18 17:31:58 +02:00 · cf9fe91705
commit cf9fe91705
parent b4fdce8d5b
16 changed files with 130 additions and 3 deletions
--- a/testing/btest/scripts/base/protocols/pop3/redis.zeek
+++ b/testing/btest/scripts/base/protocols/pop3/redis.zeek
@ -0,0 +1,20 @@
+# @TEST-DOC: The POP3 signature triggered on Redis traffic. Ensure the analyzer is eventually removed to avoid.
+# @TEST-EXEC: zeek -C -b -r $TRACES/pop3/redis-50-pings.pcap %INPUT >out
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff weird.log
+# @TEST-EXEC: btest-diff analyzer.log
+
+@load base/frameworks/notice/weird
+@load base/protocols/conn
+@load base/protocols/pop3
+
+event pop3_request(c: connection, is_orig: bool, cmd: string, arg: string)
+	{
+	print c$uid, "pop3_request", is_orig, cmd, arg;
+	}
+
+event pop3_reply(c: connection, is_orig: bool, cmd: string, arg: string)
+	{
+	print c$uid, "pop3_reply", is_orig, cmd, arg;
+	}