Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 11:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
zeek/src/analyzer/protocol/imap/imap-analyzer.pac
Robin Sommer 2eeddac401 Merge remote-tracking branch 'origin/topic/johanna/imap-starttls' 
BIT-1574 #merged

* origin/topic/johanna/imap-starttls:
  IMAP: add c++11 header file that gcc complains about.
  IMAP: documentation and test updates
  also generate an event when starttls is encounterd for imap.
  Add support of getting server capabilities to IMAP parser.
  Basic IMAP StartTLS analyzer.
2016-04-28 10:11:43 -07:00

76 lines
2.2 KiB
JavaScript
Raw Blame History

refine connection IMAP_Conn += {
%member{
string client_starttls_id;
%}
%init{
%}
function proc_imap_token(is_orig: bool, tag: bytestring, command: bytestring): bool
%{
string commands = std_str(command);
std::transform(commands.begin(), commands.end(), commands.begin(), ::tolower);
string tags = std_str(tag);
//printf("imap %s %s\n", commands.c_str(), tags.c_str());
if ( !is_orig && tags == "*" && commands == "ok" )
bro_analyzer()->ProtocolConfirmation();
if ( is_orig && ( command == "capability" || commands == "starttls" ) )
bro_analyzer()->ProtocolConfirmation();
if ( command == "authenticate" || command == "login" || command == "examine" || command == "create" || command == "list" || command == "fetch" )
{
bro_analyzer()->ProtocolConfirmation();
// Handshake has passed the phase where we should see StartTLS. Simply skip from hereon...
bro_analyzer()->SetSkip(true);
return true;
}
if ( is_orig && commands == "starttls" )
{
if ( !client_starttls_id.empty() )
reporter->Weird(bro_analyzer()->Conn(), "IMAP: client sent duplicate StartTLS");
client_starttls_id = tags;
}
if ( !is_orig && !client_starttls_id.empty() && tags == client_starttls_id )
{
if ( commands == "ok" )
{
bro_analyzer()->StartTLS();
BifEvent::generate_imap_starttls(bro_analyzer(), bro_analyzer()->Conn());
}
else
reporter->Weird(bro_analyzer()->Conn(), "IMAP: server refused StartTLS");
}
return true;
%}
function proc_server_capability(capabilities: Capability[]): bool
%{
VectorVal* capv = new VectorVal(internal_type("string_vec")->AsVectorType());
for ( unsigned int i = 0; i< capabilities->size(); i++ )
{
const bytestring& capability = (*capabilities)[i]->cap();
capv->Assign(i, new StringVal(capability.length(), (const char*)capability.data()));
}
BifEvent::generate_imap_capabilities(bro_analyzer(), bro_analyzer()->Conn(), capv);
return true;
%}
};
refine typeattr ImapToken += &let {
proc: bool = $context.connection.proc_imap_token(is_orig, tag, command);
};
refine typeattr ServerCapability += &let {
proc: bool = $context.connection.proc_server_capability(capabilities);
};
Reference in a new issue View git blame Copy permalink