From a3eaeee093c09b147e0b9e1136c782b5d7bcad61 Mon Sep 17 00:00:00 2001
From: Alice Akaki <akakialice@gmail.com>
Date: Thu, 17 Apr 2025 15:04:06 -0400
Subject: [PATCH] detect/mime: fix detect-email-received nits

Remove unused configuration from suricata.yaml
Reduce smtp filters to just one containing the three email.received[]
in test.yaml

Fixes: 2a2713e4 ("detect: add test for email.received keyword")
---
 tests/detect-email-received/suricata.yaml | 21 ++-------------------
 tests/detect-email-received/test.yaml     | 12 ++----------
 2 files changed, 4 insertions(+), 29 deletions(-)

diff --git a/tests/detect-email-received/suricata.yaml b/tests/detect-email-received/suricata.yaml
index ae9468a98..0a69c96ee 100644
--- a/tests/detect-email-received/suricata.yaml
+++ b/tests/detect-email-received/suricata.yaml
@@ -6,24 +6,7 @@ outputs:
       enabled: yes
       filename: eve.json
       types:
-        - alert:
-            tagged-packets: yes
         - smtp:
             custom: [received]    # for 'received' logging information
-        - drop:
-            alerts: yes      # log alerts that caused drops
-            flows: all       # start or all: 'start' logs only a single drop
-        - stats
-        - flow
-  - stats:
-       enabled: yes
-       filename: stats.log
-       append: yes
-
-action-order:
-  - pass
-  - drop
-  - reject
-  - alert
-
-exception-policy: ignore
+        - alert:
+            smtp: yes     # enable dumping of smtp fields
diff --git a/tests/detect-email-received/test.yaml b/tests/detect-email-received/test.yaml
index 334e13c60..827a97f43 100644
--- a/tests/detect-email-received/test.yaml
+++ b/tests/detect-email-received/test.yaml
@@ -10,21 +10,11 @@ checks:
     match:
       event_type: alert
       alert.signature_id: 1
-- filter:
-    count: 1
-    match:
-      event_type: smtp
-      email.received[0]: "from client.local (client.local [10.0.0.1]) by smtp.relay1.com with ESMTP id relay1abc; Thu, 10 Apr 2025 12:00:00 -0000"
 - filter:
     count: 1
     match:
       event_type: alert
       alert.signature_id: 2
-- filter:
-    count: 1
-    match:
-      event_type: smtp
-      email.received[1]: "from smtp.relay1.com (smtp.relay1.com [10.0.0.10]) by smtp.relay2.com with ESMTP id relay2xyz; Thu, 10 Apr 2025 12:01:00 -0000"
 - filter:
     count: 1
     match:
@@ -34,4 +24,6 @@ checks:
     count: 1
     match:
       event_type: smtp
+      email.received[0]: "from client.local (client.local [10.0.0.1]) by smtp.relay1.com with ESMTP id relay1abc; Thu, 10 Apr 2025 12:00:00 -0000"
+      email.received[1]: "from smtp.relay1.com (smtp.relay1.com [10.0.0.10]) by smtp.relay2.com with ESMTP id relay2xyz; Thu, 10 Apr 2025 12:01:00 -0000"
       email.received[2]: "from smtp.relay2.com (smtp.relay2.com [10.0.0.20]) by smtp.destination.com with ESMTP id final123; Thu, 10 Apr 2025 12:02:00 -0000"
-- 
2.47.3