--- /dev/null
+# Test Description
+
+This test shows that base64 encoded MIME data with invalid characters should
+ideally be accepted with all invalid characters skipped.
+
+## PCAP
+
+Manually created
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6207
--- /dev/null
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:25 (tcp.initialize; mss:9000;);
+default < (content:"220 smtp.server.com ESMTP Postfix\x0d\x0a";);
+default > (content:"EHLO smtp.intra\x0d\x0a";);
+default < (content:"250-smtp.lab.com\x0d\x0a250-PIPELINING\x0d\x0a250-SIZE 10240000\x0d\x0a250-VRFY\x0d\x0a250-ETRN\x0d\x0a250-STARTTLS\x0d\x0a250-ENHANCEDSTATUSCODES\x0d\x0a250-8BITMIME\x0d\x0a250-DSN\x0d\x0a250-SMTPUTF8\x0d\x0a250 CHUNKING\x0d\x0a";);
+default > (content:"MAIL FROM:blah@smtp.lab.com\x0d\x0a";);
+default < (content:"250 2.1.0 Ok\x0d\x0a";);
+default > (content:"RCPT TO:test@wut.com\x0d\x0a";);
+default < (content:"250 2.1.5 Ok\x0d\x0a";);
+default > (content:"DATA\x0d\x0a";);
+default < (content:"354 End data with <CR><LF>.<CR><LF>\x0d\x0a";);
+default > (content:"Subject: SMTPbelka-test_sans_name2021-03-08-17:28:53-221a0d8d17b3b41e28ec113dcabb55da7bdb03a8c0bb5d3de252f5d69347aa4d.zip\x0d\x0a";);
+default > (content:"Content-Type: multipart/mixed; boundary=KkK170891tpbkKk__FV_KKKkkkjjwq\x0d\x0a\x0d\x0a";);
+default > (content:"\x0d\x0a";);
+default > (content:"This is a MIME formatted message. If you see this text it means that your\x0d\x0a";);
+default > (content:"email software does not support MIME formatted messages.\x0d\x0a";);
+default > (content:"\x0d\x0a";);
+default > (content:"--KkK170891tpbkKk__FV_KKKkkkjjwq\x0d\x0a";);
+default > (content:"Content-Type: text/plain; charset=UTF-8; format=flowed\x0d\x0a";);
+default > (content:"Content-Disposition: inline\x0d\x0a";);
+default > (content:"\x0d\x0a";);
+default > (content:"Ceci est un test\x0d\x0a";);
+default > (content:"\x0d\x0a";);
+default > (content:"\x0d\x0a";);
+default > (content:"--KkK170891tpbkKk__FV_KKKkkkjjwq\x0d\x0a";);
+default > (content:"Content-Type: application/zip;\x0d\x0a";);
+default > (content:"Content-Transfer-Encoding: base64\x0d\x0a";);
+default > (content:"Content-Disposition: attachment;\x0d\x0afilename*0=smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13;\x0d\x0afilename*1=ddf80e995fd98ae442f3be499ea928c67f..zip\x0d\x0a";);
+default > (content:"\x0d\x0a";);
+default > (content:"UEsDBBQAAAAIAMGLWFIeAcE7CsgAAADIAAAdABwAc2Fpbi0yMDIxLTAyLTI0VDE3LTMwLTAxWi50\x0d\x0a";);
+default > (content:"eHRVVAkAAxmNNmAZjTZgdXgLAAEEcQAAAAT+/wAAAAuA9H9xrzNtrXD6Avu6lf86JhdtXpj+V+CV\x0d\x0a";);
+default > (content:"TQ3MBns/euhyQpaFS34j/1zGPp95UrLemiRgwzVyovXXbnHVAfflBmdR99srXFv4q5T5s2Lk38ZH\x0d\x0a";);
+default > (content:"VUTKzuXSaeVqtozS6u9XFMZZT/8rYwuqoJXTJGoIAVRFVbljGJt/7YX05QOtUCjS5PAKoNeVMNQ5\x0d\x0a";);
+default > (content:"AIZzgHnecqFuvMX3TjvZmW01SCiDnEU8nfBqsxoEn3bpPAEP9d0M8Ybl6b6L06dJEu++P6Uzo7hw\x0d\x0a";);
+default > (content:"b c ;* #$%^@%)(*- \x0d\x0a";);
+default > (content:"\x0d\x0a";);
+default > (content:"\x0d\x0a";);
+default > (content:"--KkK170891tpbkKk__FV_KKKkkkjjwq--\x0d\x0a";);
+default > (content:"\x0d\x0a";);
+default > (content:"\x0d\x0a.\x0d\x0a";);
+default < (content:"250 2.0.0 Ok: queued as 5C19921E0D\x0d\x0a";);
+default > (content:"quit\x0d\x0a";);
+default < (content:"221 2.0.0 Bye\x0d\x0a";);
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- -k none
+
+exit-code: 0
+
+checks:
+- filter:
+ count: 1
+ match:
+ app_proto: smtp
+ email.attachment[0]: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip
+ email.status: BODY_END_BOUND
+ event_type: fileinfo
+ fileinfo.filename: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip
+ fileinfo.size: 286
+ smtp.helo: smtp.intra
+ smtp.mail_from: blah@smtp.lab.com
+ smtp.rcpt_to[0]: test@wut.com
+- filter:
+ count: 1
+ match:
+ email.attachment[0]: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip
+ email.status: PARSE_DONE
+ event_type: smtp
+ smtp.helo: smtp.intra
+ smtp.mail_from: blah@smtp.lab.com
+ smtp.rcpt_to[0]: test@wut.com
--- /dev/null
+# Test Description
+
+Test for the edge case that should be handled properly by MIME decoder while
+following RFC2045.
+
+```
+NA=
+=Mg
+==
+```
+should ideally get decoded to `42` as demonstrated in this test.
+
+## PCAP
+
+Manually created.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6207
--- /dev/null
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:25 (tcp.initialize; mss:9000;);
+default < (content:"220 smtp.server.com ESMTP Postfix\x0d\x0a";);
+default > (content:"EHLO smtp.intra\x0d\x0a";);
+default < (content:"250-smtp.lab.com\x0d\x0a250-PIPELINING\x0d\x0a250-SIZE 10240000\x0d\x0a250-VRFY\x0d\x0a250-ETRN\x0d\x0a250-STARTTLS\x0d\x0a250-ENHANCEDSTATUSCODES\x0d\x0a250-8BITMIME\x0d\x0a250-DSN\x0d\x0a250-SMTPUTF8\x0d\x0a250 CHUNKING\x0d\x0a";);
+default > (content:"MAIL FROM:blah@smtp.lab.com\x0d\x0a";);
+default < (content:"250 2.1.0 Ok\x0d\x0a";);
+default > (content:"RCPT TO:test@wut.com\x0d\x0a";);
+default < (content:"250 2.1.5 Ok\x0d\x0a";);
+default > (content:"DATA\x0d\x0a";);
+default < (content:"354 End data with <CR><LF>.<CR><LF>\x0d\x0a";);
+default > (content:"Subject: SMTPbelka-test_sans_name2021-03-08-17:28:53-221a0d8d17b3b41e28ec113dcabb55da7bdb03a8c0bb5d3de252f5d69347aa4d.zip\x0d\x0a";);
+default > (content:"Content-Type: multipart/mixed; boundary=KkK170891tpbkKk__FV_KKKkkkjjwq\x0d\x0a\x0d\x0a";);
+default > (content:"\x0d\x0a";);
+default > (content:"This is a MIME formatted message. If you see this text it means that your\x0d\x0a";);
+default > (content:"email software does not support MIME formatted messages.\x0d\x0a";);
+default > (content:"\x0d\x0a";);
+default > (content:"--KkK170891tpbkKk__FV_KKKkkkjjwq\x0d\x0a";);
+default > (content:"Content-Type: text/plain; charset=UTF-8; format=flowed\x0d\x0a";);
+default > (content:"Content-Disposition: inline\x0d\x0a";);
+default > (content:"\x0d\x0a";);
+default > (content:"Ceci est un test\x0d\x0a";);
+default > (content:"\x0d\x0a";);
+default > (content:"\x0d\x0a";);
+default > (content:"--KkK170891tpbkKk__FV_KKKkkkjjwq\x0d\x0a";);
+default > (content:"Content-Type: application/zip;\x0d\x0a";);
+default > (content:"Content-Transfer-Encoding: base64\x0d\x0a";);
+default > (content:"Content-Disposition: attachment;\x0d\x0afilename*0=smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13;\x0d\x0afilename*1=ddf80e995fd98ae442f3be499ea928c67f..zip\x0d\x0a";);
+default > (content:"\x0d\x0a";);
+default > (content:"NA=\x0d\x0a";);
+default > (content:"=Mg\x0d\x0a";);
+default > (content:"==\x0d\x0a";);
+default > (content:"\x0d\x0a";);
+default > (content:"\x0d\x0a";);
+default > (content:"--KkK170891tpbkKk__FV_KKKkkkjjwq--\x0d\x0a";);
+default > (content:"\x0d\x0a";);
+default > (content:"\x0d\x0a.\x0d\x0a";);
+default < (content:"250 2.0.0 Ok: queued as 5C19921E0D\x0d\x0a";);
+default > (content:"quit\x0d\x0a";);
+default < (content:"221 2.0.0 Bye\x0d\x0a";);
--- /dev/null
+alert tcp any any -> any any (msg: "Test file content"; file.data; content:"42"; sid:1;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - alert
+ - files
+ - smtp
+ - anomaly
+ - file-store:
+ version: 2
+ enabled: yes
+ force-filestore: yes
+app-layer:
+ protocols:
+ smtp:
+ enabled: yes
+ raw-extraction: no
+ mime:
+ decode-mime: yes
+ decode-base64: yes
+ decode-quoted-printable: yes
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ app_proto: smtp
+ email.attachment[0]: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip
+ event_type: fileinfo
+ fileinfo.filename: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip
+ fileinfo.size: 2
+ fileinfo.state: CLOSED
+ fileinfo.sha256: 73475cb40a568e8da8a045ced110137e159f890ac4da883b6b17dc651b3a8049
+ smtp.helo: smtp.intra
+ smtp.mail_from: blah@smtp.lab.com
+ smtp.rcpt_to[0]: test@wut.com
+- filter:
+ count: 1
+ match:
+ email.attachment[0]: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip
+ email.status: PARSE_DONE
+ event_type: smtp
+ smtp.helo: smtp.intra
+ smtp.mail_from: blah@smtp.lab.com
+ smtp.rcpt_to[0]: test@wut.com
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
projects / thirdparty / suricata-verify.git / commitdiff
