From: Philippe Antoine Date: Thu, 31 Aug 2023 09:52:15 +0000 (+0200) Subject: mime: add previous suricata unit tests X-Git-Tag: suricata-6.0.15~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F1400%2Fhead;p=thirdparty%2Fsuricata-verify.git mime: add previous suricata unit tests mime: fix tests for bug-6207 Fix manually crafted pcaps to have valid MIME headers folding beginning with space And removing the test for BODY_BOUND which is becoming obsolete --- diff --git a/tests/mime/mime-dec-parse-full-msg-test01/README.md b/tests/mime/mime-dec-parse-full-msg-test01/README.md new file mode 100644 index 000000000..4f2d42d1a --- /dev/null +++ b/tests/mime/mime-dec-parse-full-msg-test01/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mime processing + +## PCAP + +Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseFullMsgTest01. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-full-msg-test01/input.pcap b/tests/mime/mime-dec-parse-full-msg-test01/input.pcap new file mode 100644 index 000000000..5e9e92d80 Binary files /dev/null and b/tests/mime/mime-dec-parse-full-msg-test01/input.pcap differ diff --git a/tests/mime/mime-dec-parse-full-msg-test01/test.yaml b/tests/mime/mime-dec-parse-full-msg-test01/test.yaml new file mode 100644 index 000000000..f9049447d --- /dev/null +++ b/tests/mime/mime-dec-parse-full-msg-test01/test.yaml @@ -0,0 +1,46 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-full-msg-test02/README.md b/tests/mime/mime-dec-parse-full-msg-test02/README.md new file mode 100644 index 000000000..b1f1cc9fc --- /dev/null +++ b/tests/mime/mime-dec-parse-full-msg-test02/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mime processing + +## PCAP + +Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseFullMsgTest02. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-full-msg-test02/input.pcap b/tests/mime/mime-dec-parse-full-msg-test02/input.pcap new file mode 100644 index 000000000..fa58468f2 Binary files /dev/null and b/tests/mime/mime-dec-parse-full-msg-test02/input.pcap differ diff --git a/tests/mime/mime-dec-parse-full-msg-test02/test.yaml b/tests/mime/mime-dec-parse-full-msg-test02/test.yaml new file mode 100644 index 000000000..f9049447d --- /dev/null +++ b/tests/mime/mime-dec-parse-full-msg-test02/test.yaml @@ -0,0 +1,46 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-line-test01/README.md b/tests/mime/mime-dec-parse-line-test01/README.md new file mode 100644 index 000000000..1d926984e --- /dev/null +++ b/tests/mime/mime-dec-parse-line-test01/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mime processing + +## PCAP + +Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseLineTest01. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-line-test01/input.pcap b/tests/mime/mime-dec-parse-line-test01/input.pcap new file mode 100644 index 000000000..3e8bb266b Binary files /dev/null and b/tests/mime/mime-dec-parse-line-test01/input.pcap differ diff --git a/tests/mime/mime-dec-parse-line-test01/test.yaml b/tests/mime/mime-dec-parse-line-test01/test.yaml new file mode 100644 index 000000000..f9049447d --- /dev/null +++ b/tests/mime/mime-dec-parse-line-test01/test.yaml @@ -0,0 +1,46 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-line-test02/README.md b/tests/mime/mime-dec-parse-line-test02/README.md new file mode 100644 index 000000000..07ee83aa3 --- /dev/null +++ b/tests/mime/mime-dec-parse-line-test02/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mime processing + +## PCAP + +Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseLineTest02. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-line-test02/input.pcap b/tests/mime/mime-dec-parse-line-test02/input.pcap new file mode 100644 index 000000000..56fc12bf4 Binary files /dev/null and b/tests/mime/mime-dec-parse-line-test02/input.pcap differ diff --git a/tests/mime/mime-dec-parse-line-test02/test.yaml b/tests/mime/mime-dec-parse-line-test02/test.yaml new file mode 100644 index 000000000..3b802ce14 --- /dev/null +++ b/tests/mime/mime-dec-parse-line-test02/test.yaml @@ -0,0 +1,47 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + email.url[0]: www.test.com/malware.exe?hahah + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-long-filename01/README.md b/tests/mime/mime-dec-parse-long-filename01/README.md new file mode 100644 index 000000000..158ae9697 --- /dev/null +++ b/tests/mime/mime-dec-parse-long-filename01/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mime processing + +## PCAP + +Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseLongFilename01. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-long-filename01/input.pcap b/tests/mime/mime-dec-parse-long-filename01/input.pcap new file mode 100644 index 000000000..770719109 Binary files /dev/null and b/tests/mime/mime-dec-parse-long-filename01/input.pcap differ diff --git a/tests/mime/mime-dec-parse-long-filename01/test.yaml b/tests/mime/mime-dec-parse-long-filename01/test.yaml new file mode 100644 index 000000000..701e46805 --- /dev/null +++ b/tests/mime/mime-dec-parse-long-filename01/test.yaml @@ -0,0 +1,86 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: MIME_LONG_FILENAME + anomaly.layer: proto_parser + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 14 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.attachment[0]: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + app_proto: smtp + dest_ip: 127.0.0.1 + dest_port: 25 + email.attachment[0]: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: fileinfo + fileinfo.filename: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c + fileinfo.gaps: false + fileinfo.size: 25 + fileinfo.state: CLOSED + fileinfo.stored: false + fileinfo.tx_id: 0 + pcap_cnt: 15 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-long-filename02/README.md b/tests/mime/mime-dec-parse-long-filename02/README.md new file mode 100644 index 000000000..4821e2937 --- /dev/null +++ b/tests/mime/mime-dec-parse-long-filename02/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mime processing + +## PCAP + +Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseLongFilename02. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-long-filename02/input.pcap b/tests/mime/mime-dec-parse-long-filename02/input.pcap new file mode 100644 index 000000000..91cd1f346 Binary files /dev/null and b/tests/mime/mime-dec-parse-long-filename02/input.pcap differ diff --git a/tests/mime/mime-dec-parse-long-filename02/test.yaml b/tests/mime/mime-dec-parse-long-filename02/test.yaml new file mode 100644 index 000000000..aa1581fe8 --- /dev/null +++ b/tests/mime/mime-dec-parse-long-filename02/test.yaml @@ -0,0 +1,71 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.attachment[0]: 12characters12characters12characters.exe + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + app_proto: smtp + dest_ip: 127.0.0.1 + dest_port: 25 + email.attachment[0]: 12characters12characters12characters.exe + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: fileinfo + fileinfo.filename: 12characters12characters12characters.exe + fileinfo.gaps: false + fileinfo.size: 25 + fileinfo.state: CLOSED + fileinfo.stored: false + fileinfo.tx_id: 0 + pcap_cnt: 15 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-odd-len/README.md b/tests/mime/mime-dec-parse-odd-len/README.md new file mode 100644 index 000000000..b5f1032a6 --- /dev/null +++ b/tests/mime/mime-dec-parse-odd-len/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mime processing + +## PCAP + +Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseOddLen. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-odd-len/input.pcap b/tests/mime/mime-dec-parse-odd-len/input.pcap new file mode 100644 index 000000000..e1b7326cb Binary files /dev/null and b/tests/mime/mime-dec-parse-odd-len/input.pcap differ diff --git a/tests/mime/mime-dec-parse-odd-len/test.yaml b/tests/mime/mime-dec-parse-odd-len/test.yaml new file mode 100644 index 000000000..f9049447d --- /dev/null +++ b/tests/mime/mime-dec-parse-odd-len/test.yaml @@ -0,0 +1,46 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-rem-sp/README.md b/tests/mime/mime-dec-parse-rem-sp/README.md new file mode 100644 index 000000000..e70e497d4 --- /dev/null +++ b/tests/mime/mime-dec-parse-rem-sp/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mime processing + +## PCAP + +Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseRemSp. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-rem-sp/input.pcap b/tests/mime/mime-dec-parse-rem-sp/input.pcap new file mode 100644 index 000000000..a4c573113 Binary files /dev/null and b/tests/mime/mime-dec-parse-rem-sp/input.pcap differ diff --git a/tests/mime/mime-dec-parse-rem-sp/test.yaml b/tests/mime/mime-dec-parse-rem-sp/test.yaml new file mode 100644 index 000000000..f9049447d --- /dev/null +++ b/tests/mime/mime-dec-parse-rem-sp/test.yaml @@ -0,0 +1,46 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-small-rem-inp/README.md b/tests/mime/mime-dec-parse-small-rem-inp/README.md new file mode 100644 index 000000000..ca2e72536 --- /dev/null +++ b/tests/mime/mime-dec-parse-small-rem-inp/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mime processing + +## PCAP + +Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseSmallRemInp. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-small-rem-inp/input.pcap b/tests/mime/mime-dec-parse-small-rem-inp/input.pcap new file mode 100644 index 000000000..1b4b1bed3 Binary files /dev/null and b/tests/mime/mime-dec-parse-small-rem-inp/input.pcap differ diff --git a/tests/mime/mime-dec-parse-small-rem-inp/test.yaml b/tests/mime/mime-dec-parse-small-rem-inp/test.yaml new file mode 100644 index 000000000..f9049447d --- /dev/null +++ b/tests/mime/mime-dec-parse-small-rem-inp/test.yaml @@ -0,0 +1,46 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-very-small-inp/README.md b/tests/mime/mime-dec-very-small-inp/README.md new file mode 100644 index 000000000..2a5c41e3e --- /dev/null +++ b/tests/mime/mime-dec-very-small-inp/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mime processing + +## PCAP + +Adapted using data from a previous specific unit test for MIME in Suricata MimeDecVerySmallInp. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-very-small-inp/input.pcap b/tests/mime/mime-dec-very-small-inp/input.pcap new file mode 100644 index 000000000..d217b5124 Binary files /dev/null and b/tests/mime/mime-dec-very-small-inp/input.pcap differ diff --git a/tests/mime/mime-dec-very-small-inp/test.yaml b/tests/mime/mime-dec-very-small-inp/test.yaml new file mode 100644 index 000000000..f9049447d --- /dev/null +++ b/tests/mime/mime-dec-very-small-inp/test.yaml @@ -0,0 +1,46 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1