From e688bfcf733a55dcbc3d7be9d9cb1963e3e3e62f Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Thu, 13 Oct 2022 13:06:15 +0200 Subject: [PATCH] test: Add btest verifying max_analyzer_violations functionality The pcap has been generated roughly based on the example found on wikipedia with some added garbled response after the STAT command from the client. --- .../core.max-analyzer-violations/output | 15 +++++++++ .../core.max-analyzer-violations/weird.log | 13 ++++++++ .../btest/Traces/pop3-unknown-commands.pcap | Bin 0 -> 2585 bytes .../btest/core/max-analyzer-violations.zeek | 31 ++++++++++++++++++ 4 files changed, 59 insertions(+) create mode 100644 testing/btest/Baseline/core.max-analyzer-violations/output create mode 100644 testing/btest/Baseline/core.max-analyzer-violations/weird.log create mode 100644 testing/btest/Traces/pop3-unknown-commands.pcap create mode 100644 testing/btest/core/max-analyzer-violations.zeek diff --git a/testing/btest/Baseline/core.max-analyzer-violations/output b/testing/btest/Baseline/core.max-analyzer-violations/output new file mode 100644 index 0000000000..52b3841ec1 --- /dev/null +++ b/testing/btest/Baseline/core.max-analyzer-violations/output @@ -0,0 +1,15 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +reply, CHhAvVGS1DHFjwGM9, OK, example.com POP3-Server +request, CHhAvVGS1DHFjwGM9, USER, zeek@zeek.org +reply, CHhAvVGS1DHFjwGM9, OK, Please enter your password +request, CHhAvVGS1DHFjwGM9, PASS, zeek +reply, CHhAvVGS1DHFjwGM9, OK, mailbox locked and ready +request, CHhAvVGS1DHFjwGM9, STAT, +1, violation, Analyzer::ANALYZER_POP3, CHhAvVGS1DHFjwGM9, 4, unknown server command (+) +2, violation, Analyzer::ANALYZER_POP3, CHhAvVGS1DHFjwGM9, 4, unknown server command (???) +3, violation, Analyzer::ANALYZER_POP3, CHhAvVGS1DHFjwGM9, 4, unknown server command (..) +4, violation, Analyzer::ANALYZER_POP3, CHhAvVGS1DHFjwGM9, 4, unknown server command (???) +5, violation, Analyzer::ANALYZER_POP3, CHhAvVGS1DHFjwGM9, 4, unknown server command (..x) +reply, CHhAvVGS1DHFjwGM9, OK, 1 236 +request, CHhAvVGS1DHFjwGM9, QUIT, +reply, CHhAvVGS1DHFjwGM9, OK, Bye diff --git a/testing/btest/Baseline/core.max-analyzer-violations/weird.log b/testing/btest/Baseline/core.max-analyzer-violations/weird.log new file mode 100644 index 0000000000..99b5e14621 --- /dev/null +++ b/testing/btest/Baseline/core.max-analyzer-violations/weird.log @@ -0,0 +1,13 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58246 127.0.0.1 110 pop3_server_command_unknown - F zeek POP3 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58246 127.0.0.1 110 line_terminated_with_single_CR - F zeek CONTENTLINE +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58246 127.0.0.1 110 too_many_analyzer_violations - F zeek POP3 +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/pop3-unknown-commands.pcap b/testing/btest/Traces/pop3-unknown-commands.pcap new file mode 100644 index 0000000000000000000000000000000000000000..86c5534e01744f695cbe708f9069f084e4556508 GIT binary patch literal 2585 zcmai$Uu;uV9LLYf;EtN9NJtFoykc~jNE1Yw7#DX(#I*xmN4I3*!FgG40N1r$huHCA zACNBMf0J2sLMw|gAt69AmKZ~_Xe8IMH0zDM1wTR z7o{%Nj%r~h?sp}U_QanK(O8$U+sb{2JrcLf5lgocN366yntU&=$sMIGZsE1uw@iG}l}IfZ`z5hy#U^5; zJsRcY{ht&2HcfSPTdkAh$w;;n_;Ct+5w<_~tL&x~5TB1oT1jdBA6-WPR(!+B0N;KaR1aTn3R$N#9? z1q*24EDf-O%u(v%xL?VA$Hb>yiPXT2gd~Piwh=5ud)j+gbkXxhYI`}CqY~>RU8JPT z5Ix+bVneAfNOXZ_M~}H45N+4qWa1%LB8i^7B8l;Pwh>BgZEOq#P?^R?Kk(jnF?X7C zsC{jhDcSQ7*6CF7E6@Nweh);vRKsM7QWq!ts`eHO57h{t=LksnvL%UQSrAEf{rYBB z{n7i*onh5266_oTs7^t(yjca0Wudx6(|Vm8QR-sVpw`8z!;wU3`Y^%H2&cOB*X;sG$_5~BRlinBWdnRsnCDQmyA4=lfFo@l~;T{&ns61X_ z-5f&gsAedHyAbVfR9mgf_yUz;z7?bX;F4fN}_X6ZSH=9Pi((`1a2)!V$u6D aO|s)tlIR>$IQ|aDz*^~ed!udKTKX53fNPNe literal 0 HcmV?d00001 diff --git a/testing/btest/core/max-analyzer-violations.zeek b/testing/btest/core/max-analyzer-violations.zeek new file mode 100644 index 0000000000..462c364762 --- /dev/null +++ b/testing/btest/core/max-analyzer-violations.zeek @@ -0,0 +1,31 @@ +# @TEST-DOC: In the pcap, the server responds with 10 unknown server commands and analyzer_violation_info events are raised for each. Verify that setting max_analyzer_violations creates a weird and suppresses further analyzer violation events. + +# @TEST-EXEC: zeek -b -r $TRACES/pop3-unknown-commands.pcap %INPUT >output +# @TEST-EXEC: btest-diff output +# @TEST-EXEC: btest-diff weird.log + +@load base/protocols/pop3 +@load base/frameworks/notice/weird + +# It would trigger 10 +redef max_analyzer_violations = 5; + +# Do not let DPD logic interfere with this test. +redef DPD::ignore_violations += { Analyzer::ANALYZER_POP3 }; + +global c = 0; + +event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) + { + print ++c, "violation", atype, info$c$uid, info$aid, info$reason; + } + +event pop3_request(c: connection, is_orig: bool, command: string, arg: string) + { + print "request", c$uid, command, arg; + } + +event pop3_reply(c: connection, is_orig: bool, cmd: string, msg: string) + { + print "reply", c$uid, cmd, msg; + }