detect/smtp: smtp.rcpt_to keyword

author Philippe Antoine <pantoine@oisf.net>

Fri, 24 Jan 2025 12:58:10 +0000 (13:58 +0100)

committer Victor Julien <victor@inliniac.net>

Sun, 26 Jan 2025 06:09:59 +0000 (07:09 +0100)
author Philippe Antoine <pantoine@oisf.net>
Fri, 24 Jan 2025 12:58:10 +0000 (13:58 +0100)
committer Victor Julien <victor@inliniac.net>
Sun, 26 Jan 2025 06:09:59 +0000 (07:09 +0100)
diff --git a/tests/smtp-keywords/README.md b/tests/smtp-keywords/README.md

index 048579afc5c40e9d7f4b5a4c330d45915ab8e0a5..ce9cf3de05e87d91ac9ff507daefd84e041c9af6 100644 (file)
--- a/tests/smtp-keywords/README.md
+++ b/tests/smtp-keywords/README.md
@@ -5,6 +5,7 @@ Test smtp keywords
  # Ticket
  
  https://redmine.openinfosecfoundation.org/attachments/7515
+https://redmine.openinfosecfoundation.org/attachments/7516
  https://redmine.openinfosecfoundation.org/attachments/7517
  
  # PCAP
diff --git a/tests/smtp-keywords/test.rules b/tests/smtp-keywords/test.rules

index c2614aff58fab870175cf8d1b31e18008c0cbd11..eb3973cae4e90eba087039261f8e7671711517e6 100644 (file)
--- a/tests/smtp-keywords/test.rules
+++ b/tests/smtp-keywords/test.rules
@@ -1,7 +1,8 @@
  alert smtp any any -> any any (msg:"SMTP helo GP"; smtp.helo; content:"GP"; sid:1; rev:1;)
  alert smtp any any -> any any (msg:"SMTP mail_from"; smtp.mail_from; content:"<gurpartap@patriots.in>"; sid:2; rev:1;)
-
+alert smtp any any -> any any (msg:"SMTP rcpt_to"; smtp.rcpt_to; content:"<raj_deol2002in@yahoo.co.in>"; sid:3; rev:1;)
  
  # signatures not matching
  alert smtp any any -> any any (msg:"SMTP helo not triggering"; smtp.helo; content:"not there"; sid:10; rev:1;)
  alert smtp any any -> any any (msg:"SMTP not mail_from"; smtp.mail_from; content:"spammer"; sid:12; rev:1;)
+alert smtp any any -> any any (msg:"SMTP no rcpt_to"; smtp.rcpt_to; content:"<gurpartap@patriots.in>"; sid:13; rev:1;)
diff --git a/tests/smtp-keywords/test.yaml b/tests/smtp-keywords/test.yaml

index d0c25aa972cffdb6bb11997a3e5f472744445cda..e4226da4bc06dc2a737bd40e0bb98f9d43b95b99 100644 (file)
--- a/tests/smtp-keywords/test.yaml
+++ b/tests/smtp-keywords/test.yaml
@@ -26,4 +26,15 @@ checks:
      count: 0
      match:
        event_type: alert
-      alert.signature_id: 12
-\ No newline at end of file
+      alert.signature_id: 12
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      smtp.rcpt_to[0]: "<raj_deol2002in@yahoo.co.in>"
+      alert.signature_id: 3
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 13
+\ No newline at end of file
author	Philippe Antoine <pantoine@oisf.net>
	Fri, 24 Jan 2025 12:58:10 +0000 (13:58 +0100)
committer	Victor Julien <victor@inliniac.net>
	Sun, 26 Jan 2025 06:09:59 +0000 (07:09 +0100)
tests/smtp-keywords/README.md		patch \| blob \| blame \| history
tests/smtp-keywords/test.rules		patch \| blob \| blame \| history
tests/smtp-keywords/test.yaml		patch \| blob \| blame \| history