Remove unused configuration from suricata.yaml
Reduce smtp filters to just one containing the three email.received[]
in test.yaml
Fixes: 2a2713e4 ("detect: add test for email.received keyword")
enabled: yes
filename: eve.json
types:
- - alert:
- tagged-packets: yes
- smtp:
custom: [received] # for 'received' logging information
- - drop:
- alerts: yes # log alerts that caused drops
- flows: all # start or all: 'start' logs only a single drop
- - stats
- - flow
- - stats:
- enabled: yes
- filename: stats.log
- append: yes
-
-action-order:
- - pass
- - drop
- - reject
- - alert
-
-exception-policy: ignore
+ - alert:
+ smtp: yes # enable dumping of smtp fields
match:
event_type: alert
alert.signature_id: 1
-- filter:
- count: 1
- match:
- event_type: smtp
- email.received[0]: "from client.local (client.local [10.0.0.1]) by smtp.relay1.com with ESMTP id relay1abc; Thu, 10 Apr 2025 12:00:00 -0000"
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 2
-- filter:
- count: 1
- match:
- event_type: smtp
- email.received[1]: "from smtp.relay1.com (smtp.relay1.com [10.0.0.10]) by smtp.relay2.com with ESMTP id relay2xyz; Thu, 10 Apr 2025 12:01:00 -0000"
- filter:
count: 1
match:
count: 1
match:
event_type: smtp
+ email.received[0]: "from client.local (client.local [10.0.0.1]) by smtp.relay1.com with ESMTP id relay1abc; Thu, 10 Apr 2025 12:00:00 -0000"
+ email.received[1]: "from smtp.relay1.com (smtp.relay1.com [10.0.0.10]) by smtp.relay2.com with ESMTP id relay2xyz; Thu, 10 Apr 2025 12:01:00 -0000"
email.received[2]: "from smtp.relay2.com (smtp.relay2.com [10.0.0.20]) by smtp.destination.com with ESMTP id final123; Thu, 10 Apr 2025 12:02:00 -0000"
projects / thirdparty / suricata-verify.git / commitdiff
