--- /dev/null
+# Test Description
+Test mime email.message_id keyword
+
+## PCAP
+From ../bug-1045/smtpsuricataflowbitsFN.pcap
+
+## Redmine Ticket
+https://redmine.openinfosecfoundation.org/issues/7593
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filename: eve.json
+ types:
+ - alert:
+ tagged-packets: yes
+ - smtp:
+ custom: [message-id] # for 'message-id' logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ - stats
+ - flow
+ - stats:
+ enabled: yes
+ filename: stats.log
+ append: yes
+
+action-order:
+ - pass
+ - drop
+ - reject
+ - alert
+
+exception-policy: ignore
--- /dev/null
+alert smtp any any -> any any (msg:"Test mime email message id"; email.message_id; content:"<alpine.DEB.2.00.1311261630120.9535@sd-26634.dedibox.fr>"; startswith; endswith; bsize:56; sid:1;)
\ No newline at end of file
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../bug-1045/smtpsuricataflowbitsFN.pcap
+
+args:
+ - -k none --set stream.inline=true
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ pcap_cnt: 13
+ alert.signature_id: 1
+- filter:
+ count: 1
+ match:
+ event_type: smtp
+ email.message_id: <alpine.DEB.2.00.1311261630120.9535@sd-26634.dedibox.fr>
+ pcap_cnt: 13
projects / thirdparty / suricata-verify.git / commitdiff
