tests: add pop3 auth test

author Victor Julien <victor@inliniac.net>

Thu, 20 Nov 2025 12:46:10 +0000 (07:46 -0500)

committer Victor Julien <victor@inliniac.net>

Wed, 26 Nov 2025 12:06:19 +0000 (13:06 +0100)
author Victor Julien <victor@inliniac.net>
Thu, 20 Nov 2025 12:46:10 +0000 (07:46 -0500)
committer Victor Julien <victor@inliniac.net>
Wed, 26 Nov 2025 12:06:19 +0000 (13:06 +0100)
diff --git a/tests/pop3-auth-01/Makefile b/tests/pop3-auth-01/Makefile

new file mode 100644 (file)

index 0000000..b57781d
--- /dev/null
+++ b/tests/pop3-auth-01/Makefile
@@ -0,0 +1,3 @@
+input.pcap: pop3.syn
+       flowsynth.py -f pcap -w $@ $^
+
diff --git a/tests/pop3-auth-01/input.pcap b/tests/pop3-auth-01/input.pcap

new file mode 100644 (file)

index 0000000..5cf16d6

Binary files /dev/null and b/tests/pop3-auth-01/input.pcap differ
diff --git a/tests/pop3-auth-01/pop3.syn b/tests/pop3-auth-01/pop3.syn

new file mode 100644 (file)

index 0000000..7e52187
--- /dev/null
+++ b/tests/pop3-auth-01/pop3.syn
@@ -0,0 +1,14 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:110 (tcp.initialize; mss:9000;);
+default > (content:"CAPA\x0d\x0a";);
+default < (content:"+OK Capability list follows\x0d\x0aUSER\x0d\x0aRESP-CODES\x0d\x0aEXPIRE 0\x0d\x0aLOGIN-DELAY 300\x0d\x0aTOP\x0d\x0aUIDL\x0d\x0aX-GOOGLE-RICO\x0d\x0aSASL PLAIN XOAUTH2 OAUTHBEARER\x0d\x0a.\x0d\x0a";);
+default > (content:"AUTH XOAUTH2\x0d\x0a";);
+default < (content:"+ \x0d\x0a";);
+default > (content:"dXNlcj1qb2Uuc3BlZWRib2F0AWF1dGg9QmVhcmVyIEFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUEBAQ==\x0d\x0a";);
+default < (content:"+OK Welcome.\x0d\x0a";);
+default > (content:"STAT\x0d\x0a";);
+default < (content:"+OK 1 308661\x0d\x0a";);
+default > (content:"LIST\x0d\x0a";);
+default < (content:"+OK 1 messages (308661 bytes)\x0d\x0a1 308661\x0d\x0a.\x0d\x0a";);
+default > (content:"UIDL\x0d\x0a";);
+default < (content:"+OK\x0d\x0a1 GmailId123456789\x0d\x0a.\x0d\x0a";);
+default > (content:"QUIT\x0d\x0a";);
diff --git a/tests/pop3-auth-01/test.yaml b/tests/pop3-auth-01/test.yaml

new file mode 100644 (file)

index 0000000..be71931
--- /dev/null
+++ b/tests/pop3-auth-01/test.yaml
@@ -0,0 +1,119 @@
+requires:
+   version: 9
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 2.2.2.2
+      dest_port: 110
+      event_type: pop3
+      ip_v: 4
+      pcap_cnt: 7
+      pop3.request.command: CAPA
+      pop3.response.data[0]: USER
+      pop3.response.data[1]: RESP-CODES
+      pop3.response.data[2]: EXPIRE 0
+      pop3.response.data[3]: LOGIN-DELAY 300
+      pop3.response.data[4]: TOP
+      pop3.response.data[5]: UIDL
+      pop3.response.data[6]: X-GOOGLE-RICO
+      pop3.response.data[7]: SASL PLAIN XOAUTH2 OAUTHBEARER
+      pop3.response.header: Capability list follows
+      pop3.response.status: OK
+      pop3.response.success: true
+      proto: TCP
+      src_ip: 1.1.1.1
+      src_port: 5555
+- filter:
+    count: 1
+    match:
+      dest_ip: 2.2.2.2
+      dest_port: 110
+      event_type: pop3
+      ip_v: 4
+      pcap_cnt: 11
+      pop3.request.args[0]: XOAUTH2
+      pop3.request.command: AUTH
+      pop3.response.header: ''
+      pop3.response.status: OK
+      pop3.response.success: true
+      proto: TCP
+      src_ip: 1.1.1.1
+      src_port: 5555
+- filter:
+    count: 1
+    match:
+      dest_ip: 2.2.2.2
+      dest_port: 110
+      event_type: pop3
+      ip_v: 4
+      pcap_cnt: 15
+      pop3.request.command: <SASL DATA>
+      pop3.response.header: Welcome.
+      pop3.response.status: OK
+      pop3.response.success: true
+      proto: TCP
+      src_ip: 1.1.1.1
+      src_port: 5555
+- filter:
+    count: 1
+    match:
+      dest_ip: 2.2.2.2
+      dest_port: 110
+      event_type: pop3
+      ip_v: 4
+      pcap_cnt: 19
+      pop3.request.command: STAT
+      pop3.response.header: 1 308661
+      pop3.response.status: OK
+      pop3.response.success: true
+      proto: TCP
+      src_ip: 1.1.1.1
+      src_port: 5555
+- filter:
+    count: 1
+    match:
+      dest_ip: 2.2.2.2
+      dest_port: 110
+      event_type: pop3
+      ip_v: 4
+      pcap_cnt: 23
+      pop3.request.command: LIST
+      pop3.response.data[0]: 1 308661
+      pop3.response.header: 1 messages (308661 bytes)
+      pop3.response.status: OK
+      pop3.response.success: true
+      proto: TCP
+      src_ip: 1.1.1.1
+      src_port: 5555
+- filter:
+    count: 1
+    match:
+      dest_ip: 2.2.2.2
+      dest_port: 110
+      event_type: pop3
+      ip_v: 4
+      pcap_cnt: 27
+      pop3.request.command: UIDL
+      pop3.response.data[0]: 1 GmailId123456789
+      pop3.response.header: ''
+      pop3.response.status: OK
+      pop3.response.success: true
+      proto: TCP
+      src_ip: 1.1.1.1
+      src_port: 5555
+- filter:
+    count: 1
+    match:
+      dest_ip: 2.2.2.2
+      dest_port: 110
+      event_type: pop3
+      ip_v: 4
+      pop3.request.command: QUIT
+      proto: TCP
+      src_ip: 1.1.1.1
+      src_port: 5555
author	Victor Julien <victor@inliniac.net>
	Thu, 20 Nov 2025 12:46:10 +0000 (07:46 -0500)
committer	Victor Julien <victor@inliniac.net>
	Wed, 26 Nov 2025 12:06:19 +0000 (13:06 +0100)
tests/pop3-auth-01/Makefile	[new file with mode: 0644]	patch \| blob
tests/pop3-auth-01/input.pcap	[new file with mode: 0644]	patch \| blob
tests/pop3-auth-01/pop3.syn	[new file with mode: 0644]	patch \| blob
tests/pop3-auth-01/test.yaml	[new file with mode: 0644]	patch \| blob