GH-1352: Added flag to stop processing SMTP headers in attached

messages
zeek · Jan 21, 2021 · 25de6f2 · 25de6f2
1 parent 931a39b
commit 25de6f2
Show file tree

Hide file tree

Showing 7 changed files with 1,540 additions and 1,508 deletions.
diff --git a/scripts/base/protocols/smtp/main.zeek b/scripts/base/protocols/smtp/main.zeek
@@ -62,6 +62,9 @@ export {
 		process_received_from: bool        &default=T;
 		## Indicates if client activity has been seen, but not yet logged.
 		has_client_activity:  bool            &default=F;
+		## Indicates if the SMTP headers should still be processed.
+		process_smtp_headers:  bool        &default=T;
+		entity_count:	       count	   &default=0;
 	};
 
 	type State: record {
@@ -219,7 +222,7 @@ event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
 
 event mime_one_header(c: connection, h: mime_header_rec) &priority=5
 	{
-	if ( ! c?$smtp ) return;
+	if ( ! c?$smtp || ! c$smtp$process_smtp_headers ) return;
 
 	if ( h$name == "MESSAGE-ID" )
 		c$smtp$msg_id = h$value;
@@ -288,7 +291,8 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=3
 	# If we've decided that we're done watching the received headers for
 	# whatever reason, we're done.  Could be due to only watching until
 	# local addresses are seen in the received from headers.
-	if ( ! c?$smtp || h$name != "RECEIVED" || ! c$smtp$process_received_from )
+	if ( ! c?$smtp || h$name != "RECEIVED" || ! c$smtp$process_received_from ||
+	     ! c$smtp$process_smtp_headers )
 		return;
 
 	local text_ip = find_address_in_smtp_header(h$value);
@@ -305,6 +309,19 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=3
 		c$smtp$path += ip;
 	}
 
+# This event handler sets the flag to stop processing SMTP headers if
+# any sub-entity is found.
+event mime_begin_entity(c: connection) &priority=5
+	{
+	if ( c?$smtp )
+		{
+		++c$smtp$entity_count;
+
+		if ( c$smtp$entity_count > 1 )
+			c$smtp$process_smtp_headers = F;
+		}
+	}
+
 hook finalize_smtp(c: connection)
 	{
 	if ( c?$smtp )

diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.attachment-msg/smtp.log b/testing/btest/Baseline/scripts.base.protocols.smtp.attachment-msg/smtp.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	smtp
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	cc	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	tls	fuids
+#types	time	string	addr	port	addr	port	count	string	string	set[string]	string	string	set[string]	set[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	bool	vector[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	56660	::1	25	1	localhost.localdomain	sender@example.com	recipient@example.com	-	sender@example.com	recipient@example.com	-	-	-	-	subject	-	-	-	-	::1,::1	-	F	FbiWxy1DVPZVVnWJYe,FRF0Sp1MNQgFjUxRy1
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
diff --git a/testing/btest/Traces/smtp-attachment-msg.pcap b/testing/btest/Traces/smtp-attachment-msg.pcap
diff --git a/testing/btest/scripts/base/protocols/smtp/attachment-msg.test b/testing/btest/scripts/base/protocols/smtp/attachment-msg.test
@@ -0,0 +1,4 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/smtp-attachment-msg.pcap %INPUT
+# @TEST-EXEC: btest-diff smtp.log
+
+@load base/protocols/smtp