tests: add bug 1045 test

author Victor Julien <victor@inliniac.net>

Mon, 18 Jan 2021 09:41:12 +0000 (10:41 +0100)

committer Victor Julien <victor@inliniac.net>

Mon, 18 Jan 2021 09:56:41 +0000 (10:56 +0100)
author Victor Julien <victor@inliniac.net>
Mon, 18 Jan 2021 09:41:12 +0000 (10:41 +0100)
committer Victor Julien <victor@inliniac.net>
Mon, 18 Jan 2021 09:56:41 +0000 (10:56 +0100)
diff --git a/tests/bug-1045/smtp.rules b/tests/bug-1045/smtp.rules

new file mode 100644 (file)

index 0000000..33bd3b1
--- /dev/null
+++ b/tests/bug-1045/smtp.rules
@@ -0,0 +1,5 @@
+# by rmkml
+alert tcp any any -> any 25 (msg:"SMTP EHLO"; flow:to_server,established; content:"EHLO "; flowbits:set,smtp.helo.found; classtype:attempted-user; sid:1; rev:1;)
+alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established; flowbits:isset,smtp.helo.found; content:"DATA"; flowbits:unset,smtp.helo.found; flowbits:set,smtp.data.found; classtype:attempted-admin; sid:2; rev:1;)
+alert tcp any any -> any 25 (msg:"SMTP Subject"; flow:to_server,established; flowbits:isset,smtp.data.found; content:"Subject|3A| test email"; classtype:attempted-admin; sid:3; rev:1;)
+
diff --git a/tests/bug-1045/smtpsuricataflowbitsFN.pcap b/tests/bug-1045/smtpsuricataflowbitsFN.pcap

new file mode 100644 (file)

index 0000000..9e1f279

Binary files /dev/null and b/tests/bug-1045/smtpsuricataflowbitsFN.pcap differ
diff --git a/tests/bug-1045/test.yaml b/tests/bug-1045/test.yaml

new file mode 100644 (file)

index 0000000..3989317
--- /dev/null
+++ b/tests/bug-1045/test.yaml
@@ -0,0 +1,30 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+checks:
+  - filter:
+      count: 3
+      match:
+        event_type: alert
+        src_ip: "88.191.140.111"
+        src_port: 51906
+        dest_ip: "188.125.69.79"
+        dest_port: 25
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+
+
author	Victor Julien <victor@inliniac.net>
	Mon, 18 Jan 2021 09:41:12 +0000 (10:41 +0100)
committer	Victor Julien <victor@inliniac.net>
	Mon, 18 Jan 2021 09:56:41 +0000 (10:56 +0100)
tests/bug-1045/smtp.rules	[new file with mode: 0644]	patch \| blob
tests/bug-1045/smtpsuricataflowbitsFN.pcap	[new file with mode: 0644]	patch \| blob
tests/bug-1045/test.yaml	[new file with mode: 0644]	patch \| blob