detect: add test for email.body_md5 keyword

Ticket: #7587

diff --git a/tests/detect-email-body_md5-disabled/README.md b/tests/detect-email-body_md5-disabled/README.md
new file mode 100644 (file)
index 0000000..703adcb
--- /dev/null
+++ b/tests/detect-email-body_md5-disabled/README.md
@@ -0,0 +1,10 @@
+# Test Description
+
+Test mime email.body_md5 keyword when suricata.yaml disables it
+Use ``requires`` keyword
+
+## PCAP
+From ../bug-3616-smtp/input.pcap
+
+## Redmine Ticket
+https://redmine.openinfosecfoundation.org/issues/7587

diff --git a/tests/detect-email-body_md5-disabled/suricata.yaml b/tests/detect-email-body_md5-disabled/suricata.yaml
new file mode 100644 (file)
index 0000000..d6139ab
--- /dev/null
+++ b/tests/detect-email-body_md5-disabled/suricata.yaml
@@ -0,0 +1,24 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - smtp:
+            extended: yes
+            md5: [body, subject]
+        - alert:
+            smtp: yes
+
+app-layer:
+  protocols:
+    smtp:
+      enabled: yes
+      raw-extraction: no
+      mime:
+        decode-mime: yes
+        decode-base64: yes
+        body-md5: no

diff --git a/tests/detect-email-body_md5-disabled/test.rules b/tests/detect-email-body_md5-disabled/test.rules
new file mode 100644 (file)
index 0000000..f4ccdd7
--- /dev/null
+++ b/tests/detect-email-body_md5-disabled/test.rules
@@ -0,0 +1 @@
+alert smtp any any -> any any (msg:"Test mime email body_md5"; requires: keyword email.body_md5; email.body_md5; content:"ed00c81b85fa455d60e19f1230977134"; sid:1;)

diff --git a/tests/detect-email-body_md5-disabled/test.yaml b/tests/detect-email-body_md5-disabled/test.yaml
new file mode 100644 (file)
index 0000000..6b0adc3
--- /dev/null
+++ b/tests/detect-email-body_md5-disabled/test.yaml
@@ -0,0 +1,24 @@
+requires:
+  min-version: 9
+
+pcap: ../bug-3616-smtp/input.pcap
+
+args:
+  - -k none --set stream.inline=true
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: smtp
+      email.body_md5: "ed00c81b85fa455d60e19f1230977134"
+- filter:
+    count: 2
+    match:
+      event_type: smtp
+# test stdout has Info: detect-requires: Suricata did not meet the rule requirements: Suricata missing a required keyword: keyword email.body_md5 [DetectRequiresSetup:detect-requires.c:38]
\ No newline at end of file

diff --git a/tests/detect-email-body_md5/README.md b/tests/detect-email-body_md5/README.md
new file mode 100644 (file)
index 0000000..744dc46
--- /dev/null
+++ b/tests/detect-email-body_md5/README.md
@@ -0,0 +1,8 @@
+# Test Description
+Test mime email.body_md5 keyword
+
+## PCAP
+From ../bug-3616-smtp/input.pcap
+
+## Redmine Ticket
+https://redmine.openinfosecfoundation.org/issues/7587
\ No newline at end of file

diff --git a/tests/detect-email-body_md5/suricata.yaml b/tests/detect-email-body_md5/suricata.yaml
new file mode 100644 (file)
index 0000000..27a179c
--- /dev/null
+++ b/tests/detect-email-body_md5/suricata.yaml
@@ -0,0 +1,24 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - smtp:
+            extended: yes
+            md5: [body, subject]
+        - alert:
+            smtp: yes
+
+app-layer:
+  protocols:
+    smtp:
+      enabled: yes
+      raw-extraction: no
+      mime:
+        decode-mime: yes
+        decode-base64: yes
+        body-md5: auto

diff --git a/tests/detect-email-body_md5/test.rules b/tests/detect-email-body_md5/test.rules
new file mode 100644 (file)
index 0000000..f4ccdd7
--- /dev/null
+++ b/tests/detect-email-body_md5/test.rules
@@ -0,0 +1 @@
+alert smtp any any -> any any (msg:"Test mime email body_md5"; requires: keyword email.body_md5; email.body_md5; content:"ed00c81b85fa455d60e19f1230977134"; sid:1;)

diff --git a/tests/detect-email-body_md5/test.yaml b/tests/detect-email-body_md5/test.yaml
new file mode 100644 (file)
index 0000000..79c0c67
--- /dev/null
+++ b/tests/detect-email-body_md5/test.yaml
@@ -0,0 +1,19 @@
+requires:
+  min-version: 9
+
+pcap: ../bug-3616-smtp/input.pcap
+
+args:
+  - -k none --set stream.inline=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: smtp
+      email.body_md5: "ed00c81b85fa455d60e19f1230977134"