mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
cf9fe91705
The cmds list may grow unbounded due to the POP3 analyzer being in multiLine mode after seeing `AUTH` in a Redis connection, but never a `.` terminator. This can easily be provoked by the Redis ping command. This adds two heuristics: 1) Forcefully process the oldest commands in the cmds list and cap it at max_pending_commands. 2) Start raising analyzer violations if the client has been using more than max_unknown_client_commands commands (default 10). Closes #3936
20 lines
667 B
Text
20 lines
667 B
Text
# @TEST-DOC: The POP3 signature triggered on Redis traffic. Ensure the analyzer is eventually removed to avoid.
|
|
# @TEST-EXEC: zeek -C -b -r $TRACES/pop3/redis-50-pings.pcap %INPUT >out
|
|
# @TEST-EXEC: btest-diff conn.log
|
|
# @TEST-EXEC: btest-diff out
|
|
# @TEST-EXEC: btest-diff weird.log
|
|
# @TEST-EXEC: btest-diff analyzer.log
|
|
|
|
@load base/frameworks/notice/weird
|
|
@load base/protocols/conn
|
|
@load base/protocols/pop3
|
|
|
|
event pop3_request(c: connection, is_orig: bool, cmd: string, arg: string)
|
|
{
|
|
print c$uid, "pop3_request", is_orig, cmd, arg;
|
|
}
|
|
|
|
event pop3_reply(c: connection, is_orig: bool, cmd: string, arg: string)
|
|
{
|
|
print c$uid, "pop3_reply", is_orig, cmd, arg;
|
|
}
|