mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 22:58:20 +00:00
3f5cb75a2a
oss-fuzz produced FTP traffic with a ~550KB long FTP command. Cap FTP command length at 100 bytes, log a weird if a command is larger than that and move on to the next. Likely it's not actual FTP traffic, but raising an analyzer violation would allow clients an easy way to disable the analyzer by sending an overly long command. The added test PCAP was generated using a fake Python socket server/client.
12 lines
428 B
Text
12 lines
428 B
Text
# @TEST-DOC: Artificially generated pcap with FTP commands of length > 100. Verify generation of the involved logs.
|
|
#
|
|
# @TEST-EXEC: zeek -b -r $TRACES/ftp/fake-long-commands.pcap %INPUT
|
|
# @TEST-EXEC: btest-diff conn.log
|
|
# @TEST-EXEC: btest-diff ftp.log
|
|
# @TEST-EXEC: btest-diff weird.log
|
|
# @TEST-EXEC: test ! -f reporter.log
|
|
|
|
@load base/protocols/conn
|
|
@load base/protocols/ftp
|
|
|
|
redef FTP::logged_commands += { "USER", "SYST" };
|