]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0389845)
add test for broken smtp url logging
authorShivani Bhardwaj <shivani@oisf.net>
Tue, 9 Aug 2022 05:14:35 +0000 (10:44 +0530)
committerVictor Julien <victor@inliniac.net>
Tue, 13 Sep 2022 09:51:26 +0000 (11:51 +0200)
tests/smtp-url-schemes-bug-5174/README.md [new file with mode: 0644] patch | blob
tests/smtp-url-schemes-bug-5174/input.pcap [new file with mode: 0644] patch | blob
tests/smtp-url-schemes-bug-5174/suricata.yaml [new file with mode: 0644] patch | blob
tests/smtp-url-schemes-bug-5174/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/smtp-url-schemes-bug-5174/README.md b/tests/smtp-url-schemes-bug-5174/README.md
new file mode 100644 (file)
index 0000000..121d7e2
--- /dev/null
+++ b/tests/smtp-url-schemes-bug-5174/README.md
@@ -0,0 +1,17 @@
+Description
+-----------
+Since the feature for extracting MIME urls (ref: [Feature #2054](https://redmine.openinfosecfoundation.org/issues/2054))
+was introduced, the logging of urls in case the `suricata.yaml` configuration was not updated
+has been broken (ref: [Bug #5174](https://redmine.openinfosecfoundation.org/issues/5174)).
+The issue happens when both the `extract-urls-schemes` and `log-url-scheme` settings are
+missing from `suricata.yaml`.
+The behavior in such a case should be fallback to the defaults i.e. only extract the urls
+that begin with the `http` scheme.
+
+PCAP
+----
+PCAP comes from the existing test [smtp-extract-url-schemes](https://github.com/OISF/suricata-verify/blob/master/tests/smtp-extract-url-schemes).
+
+Reported and fixed by
+---------------------
+Eric Leblond <el@stamus-networks.com>
diff --git a/tests/smtp-url-schemes-bug-5174/input.pcap b/tests/smtp-url-schemes-bug-5174/input.pcap
new file mode 100644 (file)
index 0000000..bc1daa8
Binary files /dev/null and b/tests/smtp-url-schemes-bug-5174/input.pcap differ
diff --git a/tests/smtp-url-schemes-bug-5174/suricata.yaml b/tests/smtp-url-schemes-bug-5174/suricata.yaml
new file mode 100644 (file)
index 0000000..c8b6678
--- /dev/null
+++ b/tests/smtp-url-schemes-bug-5174/suricata.yaml
@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - smtp
+
+app-layer:
+  protocols:
+    smtp:
+      enabled: yes
+      mime:
+        decode-mime: yes
+        decode-base64: yes
+        extract-urls: yes
+#        extract-urls-schemes: [http, https, ftp, mailto]
+#        log-url-scheme: yes
diff --git a/tests/smtp-url-schemes-bug-5174/test.yaml b/tests/smtp-url-schemes-bug-5174/test.yaml
new file mode 100644 (file)
index 0000000..b9e4b31
--- /dev/null
+++ b/tests/smtp-url-schemes-bug-5174/test.yaml
@@ -0,0 +1,7 @@
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: smtp
+        email.url[0]: "test-site.org/blah/123/"
+        email.url[1]: "google.com"
Mirror of https://github.com/OISF/suricata-verify.git