smtp: Add test to match on attachment with md5

Based on the filemd5 test but using smtp attachment instead.
The SMTP transaction contains the EICAR file as an attachment and
the expected md5 to match used is the standard md5 for the EICAR.

diff --git a/tests/smtp-attachment-md5/input.pcap b/tests/smtp-attachment-md5/input.pcap
new file mode 100644 (file)
index 0000000..16375cf
Binary files /dev/null and b/tests/smtp-attachment-md5/input.pcap differ

diff --git a/tests/smtp-attachment-md5/target.md5 b/tests/smtp-attachment-md5/target.md5
new file mode 100644 (file)
index 0000000..b22bda5
--- /dev/null
+++ b/tests/smtp-attachment-md5/target.md5
@@ -0,0 +1 @@
+44d88612fea8a8f36de82e1278abb02f

diff --git a/tests/smtp-attachment-md5/test.rules b/tests/smtp-attachment-md5/test.rules
new file mode 100644 (file)
index 0000000..8497e73
--- /dev/null
+++ b/tests/smtp-attachment-md5/test.rules
@@ -0,0 +1 @@
+alert smtp any any -> any any (msg:"test"; filemd5: target.md5; classtype: bad-unknown; sid:1530024;)

diff --git a/tests/smtp-attachment-md5/test.yaml b/tests/smtp-attachment-md5/test.yaml
new file mode 100644 (file)
index 0000000..3c17b1b
--- /dev/null
+++ b/tests/smtp-attachment-md5/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  features:
+    - HAVE_NSS
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert