Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-11 11:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'security/topic/awelzel/152-smtp-validate-mail-transactions'

Browse source 
* security/topic/awelzel/152-smtp-validate-mail-transactions:
  smtp: Validate mail transaction and disable SMTP analyzer if excessive
  generic-analyzer-fuzzer: Detect disable_analyzer() from scripts
This commit is contained in:
Tim Wojtulewicz 2023-04-11 15:16:15 -07:00
commit f701f1fc94
17 changed files with 1690 additions and 1511 deletions
Download patch file Download diff file Expand all files Collapse all files

13
testing/btest/scripts/base/protocols/smtp/mail-transactions-invalid-disable-analyzer.zeek Normal file
View file

@ -0,0 +1,13 @@
# @TEST-EXEC: zeek -b -r $TRACES/smtp-mail-transactions-invalid.pcap %INPUT > out
# @TEST-EXEC: btest-diff smtp.log
# @TEST-EXEC: btest-diff weird.log
# @TEST-EXEC: btest-diff out
@load base/protocols/smtp
redef SMTP::max_invalid_mail_transactions = 2;
hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count)
{
print network_time(), "disabling_analyzer", c$uid, atype, aid;
}

5
testing/btest/scripts/base/protocols/smtp/mail-transactions-invalid.zeek Normal file
View file

@ -0,0 +1,5 @@
# @TEST-EXEC: zeek -b -r $TRACES/smtp-mail-transactions-invalid.pcap %INPUT
# @TEST-EXEC: btest-diff smtp.log
# @TEST-EXEC: btest-diff weird.log
@load base/protocols/smtp