]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: db9dcb7)
smtp: add test for long DATA post boundary
authorShivani Bhardwaj <shivanib134@gmail.com>
Fri, 5 May 2023 08:24:15 +0000 (13:54 +0530)
committerVictor Julien <victor@inliniac.net>
Fri, 17 Nov 2023 08:33:44 +0000 (09:33 +0100)
tests/smtp-bug-5981/README.md [new file with mode: 0644] patch | blob
tests/smtp-bug-5981/input.pcap [new file with mode: 0644] patch | blob
tests/smtp-bug-5981/suricata.yaml [new file with mode: 0644] patch | blob
tests/smtp-bug-5981/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/smtp-bug-5981/README.md b/tests/smtp-bug-5981/README.md
new file mode 100644 (file)
index 0000000..4d4bd09
--- /dev/null
+++ b/tests/smtp-bug-5981/README.md
@@ -0,0 +1,12 @@
+# Test Description
+
+This test shows how we handle long DATA lines for SMTP.
+
+## PCAP
+
+PCAP comes from ttps://osqa-ask.wireshark.org/questions/33094/extract-an-attachment-email-smtp-cap
+and has been modified to have a really long DATA line (6512 Bytes).
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/5981
diff --git a/tests/smtp-bug-5981/input.pcap b/tests/smtp-bug-5981/input.pcap
new file mode 100644 (file)
index 0000000..64e9c59
Binary files /dev/null and b/tests/smtp-bug-5981/input.pcap differ
diff --git a/tests/smtp-bug-5981/suricata.yaml b/tests/smtp-bug-5981/suricata.yaml
new file mode 100644 (file)
index 0000000..68e84b7
--- /dev/null
+++ b/tests/smtp-bug-5981/suricata.yaml
@@ -0,0 +1,14 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+        - smtp
+        - anomaly
+  - file-store:
+      version: 2
+      enabled: yes
+      force-filestore: yes
diff --git a/tests/smtp-bug-5981/test.yaml b/tests/smtp-bug-5981/test.yaml
new file mode 100644 (file)
index 0000000..1ebf667
--- /dev/null
+++ b/tests/smtp-bug-5981/test.yaml
@@ -0,0 +1,64 @@
+requires:
+  features:
+    - HAVE_NSS
+  min-version: 7
+
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: anomaly
+      src_ip: 192.168.1.4
+      src_port: 3326
+      dest_ip: 217.12.11.66
+      dest_port: 587
+      proto: TCP
+      pkt_src: wire/pcap
+      tx_id: 0
+      anomaly.app_proto: smtp
+      anomaly.type: applayer
+      anomaly.event: TRUNCATED_LINE
+      anomaly.layer: proto_parser
+
+- filter:
+    count: 1
+    match:
+      event_type: fileinfo
+      fileinfo.filename: winmail.dat
+      fileinfo.sha256: 5f41c213e35d8421647181cc9b8925a5b2ab34c23102907581214fd574157fff
+      fileinfo.size: 10451
+
+- filter:
+    count: 1
+    match:
+      event_type: smtp
+      src_ip: 192.168.1.4
+      src_port: 3326
+      dest_ip: 217.12.11.66
+      dest_port: 587
+      proto: TCP
+      pkt_src: wire/pcap
+      tx_id: 0
+      smtp.helo: Percival
+      smtp.mail_from: <xxxxxx@xxxxx.co.uk>
+      smtp.rcpt_to[0]: <xxxxxx@xxxxx.co.uk>
+      email.status: PARSE_DONE
+      email.from: '"Xxxxxx xxxx" <xxxxxx@xxxxx.co.uk>'
+      email.to[0]: <xxxxxx@xxxxx.co.uk>
+
+- filter:
+    count: 1
+    match:
+      event_type: smtp
+      src_ip: 192.168.1.4
+      src_port: 3326
+      dest_ip: 217.12.11.66
+      dest_port: 587
+      proto: TCP
+      pkt_src: stream (flow timeout)
+      tx_id: 1
+      smtp.helo: Percival
Mirror of https://github.com/OISF/suricata-verify.git