email: test body-md5 auto setting without rules

Ticket: 7587

Verify that we do not output a body_md5

diff --git a/tests/detect-email-body_md5-auto/README.md b/tests/detect-email-body_md5-auto/README.md
new file mode 100644 (file)
index 0000000..521adc9
--- /dev/null
+++ b/tests/detect-email-body_md5-auto/README.md
@@ -0,0 +1,9 @@
+# Test Description
+
+Test body_md5 auto setting without rules using email.body_md5 keyword
+
+## PCAP
+From ../bug-3616-smtp/input.pcap
+
+## Redmine Ticket
+https://redmine.openinfosecfoundation.org/issues/7587

diff --git a/tests/detect-email-body_md5-auto/suricata.yaml b/tests/detect-email-body_md5-auto/suricata.yaml
new file mode 100644 (file)
index 0000000..27a179c
--- /dev/null
+++ b/tests/detect-email-body_md5-auto/suricata.yaml
@@ -0,0 +1,24 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - smtp:
+            extended: yes
+            md5: [body, subject]
+        - alert:
+            smtp: yes
+
+app-layer:
+  protocols:
+    smtp:
+      enabled: yes
+      raw-extraction: no
+      mime:
+        decode-mime: yes
+        decode-base64: yes
+        body-md5: auto

diff --git a/tests/detect-email-body_md5-auto/test.yaml b/tests/detect-email-body_md5-auto/test.yaml
new file mode 100644 (file)
index 0000000..0793bff
--- /dev/null
+++ b/tests/detect-email-body_md5-auto/test.yaml
@@ -0,0 +1,18 @@
+requires:
+  min-version: 9
+
+pcap: ../bug-3616-smtp/input.pcap
+
+args:
+  - -k none --set stream.inline=true
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: smtp
+      has-key: email.body_md5
+- filter:
+    count: 2
+    match:
+      event_type: smtp