detect/smtp: smtp.helo keyword

Ticket: 7515

diff --git a/tests/smtp-keywords/README.md b/tests/smtp-keywords/README.md
new file mode 100644 (file)
index 0000000..c040548
--- /dev/null
+++ b/tests/smtp-keywords/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test smtp keywords
+
+# Ticket
+
+https://redmine.openinfosecfoundation.org/attachments/7515
+
+# PCAP
+
+reused from bug-3616-smtp

diff --git a/tests/smtp-keywords/test.rules b/tests/smtp-keywords/test.rules
new file mode 100644 (file)
index 0000000..e8f34c7
--- /dev/null
+++ b/tests/smtp-keywords/test.rules
@@ -0,0 +1,4 @@
+alert smtp any any -> any any (msg:"SMTP helo GP"; smtp.helo; content:"GP"; sid:1; rev:1;)
+
+# signatures not matching
+alert smtp any any -> any any (msg:"SMTP helo not triggering"; smtp.helo; content:"not there"; sid:10; rev:1;)

diff --git a/tests/smtp-keywords/test.yaml b/tests/smtp-keywords/test.yaml
new file mode 100644 (file)
index 0000000..6b8f284
--- /dev/null
+++ b/tests/smtp-keywords/test.yaml
@@ -0,0 +1,18 @@
+pcap: ../bug-3616-smtp/input.pcap
+
+requires:
+  min-version: 8.0.0
+
+checks:
+- filter:
+    # 2 transactions, 2 alerts
+    count: 2
+    match:
+      event_type: alert
+      smtp.helo: GP
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 10
\ No newline at end of file