Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/scripts/base/frameworks/notice
History
Arne Welzel b8dc6ad120 smtp: Validate mail transaction and disable SMTP analyzer if excessive 
An invalid mail transaction is determined as

* RCPT TO command without a preceding MAIL FROM
* a DATA command without a preceding RCPT TO

and logged as a weird.

The testing pcap for invalid mail transactions was produced with a Python
script against a local exim4 configured to accept more errors and unknown
commands than 3 by default:

    # exim4.conf.template
    smtp_max_synprot_errors = 100
    smtp_max_unknown_commands = 100

See also: https://www.rfc-editor.org/rfc/rfc5321#section-3.3
2023-03-27 18:41:47 +02:00
..
actions Spelling fixes: scripts 2022-11-02 17:36:39 -04:00
__load__.zeek GH-379: move catch-and-release and unified2 scripts to policy/ 2019-06-05 13:33:45 -07:00
main.zeek frameworks/notice: Handle fa_file with no or more than a single connection better 2022-12-06 11:17:30 +01:00
README More bro-to-zeek renaming in scripts and other files 2019-05-16 02:36:41 -05:00
weird.zeek smtp: Validate mail transaction and disable SMTP analyzer if excessive 2023-03-27 18:41:47 +02:00

README 

The notice framework enables Zeek to "notice" things which are odd or
potentially bad, leaving it to the local configuration to define which
of them are actionable.  This decoupling of detection and reporting allows
Zeek to be customized to the different needs that sites have.