detect: add test for email.received keyword

Ticket: #7599

diff --git a/tests/detect-email-received/Makefile b/tests/detect-email-received/Makefile
new file mode 100644 (file)
index 0000000..56a83ff
--- /dev/null
+++ b/tests/detect-email-received/Makefile
@@ -0,0 +1,3 @@
+input.pcap: smtp.syn
+       flowsynth.py -f pcap -w $@ $^
+

diff --git a/tests/detect-email-received/README.md b/tests/detect-email-received/README.md
new file mode 100644 (file)
index 0000000..1a35343
--- /dev/null
+++ b/tests/detect-email-received/README.md
@@ -0,0 +1,8 @@
+# Test Description
+Test mime email.received keyword
+
+## PCAP
+From created with Flowsynth
+
+## Redmine Ticket
+https://redmine.openinfosecfoundation.org/issues/7599

diff --git a/tests/detect-email-received/input.pcap b/tests/detect-email-received/input.pcap
new file mode 100644 (file)
index 0000000..e911564
Binary files /dev/null and b/tests/detect-email-received/input.pcap differ

diff --git a/tests/detect-email-received/smtp.syn b/tests/detect-email-received/smtp.syn
new file mode 100644 (file)
index 0000000..32baa8c
--- /dev/null
+++ b/tests/detect-email-received/smtp.syn
@@ -0,0 +1,32 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:25 (tcp.initialize; mss:9000;);
+default < (content:"220 smtpblah.mailserver.xxx.com ESMTP AAAAAAAAA";);
+default > (content:"EHLO Simone\x0d\x0a";);
+default < (content:"250-smtp001.mail.xxx.xxxxx.com\x0d\x0a";);
+default > (content:"MAIL FROM: <xxxxxx@xxxxx.co.uk>\x0d\x0a";);
+default < (content:"250 ok\x0d\x0a";);
+default > (content:"RCPT TO: <xxxxx@aba.com>\x0d\x0a";);
+default < (content:"250 ok\x0d\x0a";);
+default > (content:"RCPT TO: <xxxxx@example.com>\x0d\x0a";);
+default < (content:"250 ok\x0d\x0a";);
+default > (content:"RCPT TO: <cc0@example.com>\x0d\x0a";);
+default < (content:"250 ok\x0d\x0a";);
+default > (content:"RCPT TO: <cc1@example.com>\x0d\x0a";);
+default < (content:"250 ok\x0d\x0a";);
+default > (content:"RCPT TO: <cc2@example.com>\x0d\x0a";);
+default < (content:"250 ok\x0d\x0a";);
+default > (content:"DATA\x0d\x0a";);
+default < (content:"354 Start mail input; end with <CRLF>.<CRLF>\x0d\x0a";);
+default > (content:"Subject: Test Email\x0d\x0a";);
+default > (content:"Received: from client.local (client.local [10.0.0.1]) by smtp.relay1.com with ESMTP id relay1abc; Thu, 10 Apr 2025 12:00:00 -0000\x0d\x0a";);
+default > (content:"Received: from smtp.relay1.com (smtp.relay1.com [10.0.0.10]) by smtp.relay2.com with ESMTP id relay2xyz; Thu, 10 Apr 2025 12:01:00 -0000\x0d\x0a";);
+default > (content:"Received: from smtp.relay2.com (smtp.relay2.com [10.0.0.20]) by smtp.destination.com with ESMTP id final123; Thu, 10 Apr 2025 12:02:00 -0000\x0d\x0a";);
+default > (content:"From: <xxxxxx@xxxxx.co.uk>\x0d\x0a";);
+default > (content:"To: <xxxxx@aba.com>, <xxxxx@example.com>\x0d\x0a";);
+default > (content:"Cc: cc0 <cc0@example.com>, cc1 <cc1@example.com>, cc2 <cc2@example.com>\x0d\x0a";);
+default > (content:"Content-Type: text/plain; charset=UTF-8\x0d\x0a";);
+default > (content:"\x0d\x0a";);
+default > (content:"Hello, this is a test email.\x0d\x0a";);
+default > (content:".\x0d\x0a";);
+default < (content:"250 ok: queued as 12345\x0d\x0a";);
+default > (content:"QUIT\x0d\x0a";);
+default < (content:"221 smtp001.mail.xxx.xxxxx.com\x0d\x0a";);
\ No newline at end of file

diff --git a/tests/detect-email-received/suricata.yaml b/tests/detect-email-received/suricata.yaml
new file mode 100644 (file)
index 0000000..ae9468a
--- /dev/null
+++ b/tests/detect-email-received/suricata.yaml
@@ -0,0 +1,29 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filename: eve.json
+      types:
+        - alert:
+            tagged-packets: yes
+        - smtp:
+            custom: [received]    # for 'received' logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
+        - stats
+        - flow
+  - stats:
+       enabled: yes
+       filename: stats.log
+       append: yes
+
+action-order:
+  - pass
+  - drop
+  - reject
+  - alert
+
+exception-policy: ignore

diff --git a/tests/detect-email-received/test.rules b/tests/detect-email-received/test.rules
new file mode 100644 (file)
index 0000000..2e78973
--- /dev/null
+++ b/tests/detect-email-received/test.rules
@@ -0,0 +1,3 @@
+alert smtp any any -> any any (msg:"Test mime email received"; email.received; content:"from client.local (client.local [10.0.0.1]) by smtp.relay1.com with ESMTP id relay1abc\; Thu, 10 Apr 2025 12:00:00 -0000"; startswith; endswith; bsize:119; sid:1;)
+alert smtp any any -> any any (msg:"Test mime email received"; email.received; content:"from smtp.relay1.com (smtp.relay1.com [10.0.0.10]) by smtp.relay2.com with ESMTP id relay2xyz\; Thu, 10 Apr 2025 12:01:00 -0000"; startswith; endswith; bsize:126; sid:2;)
+alert smtp any any -> any any (msg:"Test mime email received"; email.received; content:"from smtp.relay2.com (smtp.relay2.com [10.0.0.20]) by smtp.destination.com with ESMTP id final123\; Thu, 10 Apr 2025 12:02:00 -0000"; startswith; endswith; bsize:130; sid:3;)

diff --git a/tests/detect-email-received/test.yaml b/tests/detect-email-received/test.yaml
new file mode 100644 (file)
index 0000000..334e13c
--- /dev/null
+++ b/tests/detect-email-received/test.yaml
@@ -0,0 +1,37 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none --set stream.inline=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: smtp
+      email.received[0]: "from client.local (client.local [10.0.0.1]) by smtp.relay1.com with ESMTP id relay1abc; Thu, 10 Apr 2025 12:00:00 -0000"
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: smtp
+      email.received[1]: "from smtp.relay1.com (smtp.relay1.com [10.0.0.10]) by smtp.relay2.com with ESMTP id relay2xyz; Thu, 10 Apr 2025 12:01:00 -0000"
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 1
+    match:
+      event_type: smtp
+      email.received[2]: "from smtp.relay2.com (smtp.relay2.com [10.0.0.20]) by smtp.destination.com with ESMTP id final123; Thu, 10 Apr 2025 12:02:00 -0000"