]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
tests: add bug 1045 test
authorVictor Julien <victor@inliniac.net>
Mon, 18 Jan 2021 09:41:12 +0000 (10:41 +0100)
committerVictor Julien <victor@inliniac.net>
Mon, 18 Jan 2021 09:56:41 +0000 (10:56 +0100)
tests/bug-1045/smtp.rules [new file with mode: 0644]
tests/bug-1045/smtpsuricataflowbitsFN.pcap [new file with mode: 0644]
tests/bug-1045/test.yaml [new file with mode: 0644]

diff --git a/tests/bug-1045/smtp.rules b/tests/bug-1045/smtp.rules
new file mode 100644 (file)
index 0000000..33bd3b1
--- /dev/null
@@ -0,0 +1,5 @@
+# by rmkml
+alert tcp any any -> any 25 (msg:"SMTP EHLO"; flow:to_server,established; content:"EHLO "; flowbits:set,smtp.helo.found; classtype:attempted-user; sid:1; rev:1;)
+alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established; flowbits:isset,smtp.helo.found; content:"DATA"; flowbits:unset,smtp.helo.found; flowbits:set,smtp.data.found; classtype:attempted-admin; sid:2; rev:1;)
+alert tcp any any -> any 25 (msg:"SMTP Subject"; flow:to_server,established; flowbits:isset,smtp.data.found; content:"Subject|3A| test email"; classtype:attempted-admin; sid:3; rev:1;)
+
diff --git a/tests/bug-1045/smtpsuricataflowbitsFN.pcap b/tests/bug-1045/smtpsuricataflowbitsFN.pcap
new file mode 100644 (file)
index 0000000..9e1f279
Binary files /dev/null and b/tests/bug-1045/smtpsuricataflowbitsFN.pcap differ
diff --git a/tests/bug-1045/test.yaml b/tests/bug-1045/test.yaml
new file mode 100644 (file)
index 0000000..3989317
--- /dev/null
@@ -0,0 +1,30 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+checks:
+  - filter:
+      count: 3
+      match:
+        event_type: alert
+        src_ip: "88.191.140.111"
+        src_port: 51906
+        dest_ip: "188.125.69.79"
+        dest_port: 25
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+
+