detect/smtp: smtp.mail_from keyword

Ticket: 7517

diff --git a/tests/smtp-keywords/README.md b/tests/smtp-keywords/README.md
index c04054857e2946217dc53c29454ddf47f838947a..048579afc5c40e9d7f4b5a4c330d45915ab8e0a5 100644 (file)
--- a/tests/smtp-keywords/README.md
+++ b/tests/smtp-keywords/README.md
@@ -5,6 +5,7 @@ Test smtp keywords
 # Ticket
 
 https://redmine.openinfosecfoundation.org/attachments/7515
+https://redmine.openinfosecfoundation.org/attachments/7517
 
 # PCAP
 

diff --git a/tests/smtp-keywords/test.rules b/tests/smtp-keywords/test.rules
index e8f34c72f6b198b8f65aa5852ce8c4027430806d..c2614aff58fab870175cf8d1b31e18008c0cbd11 100644 (file)
--- a/tests/smtp-keywords/test.rules
+++ b/tests/smtp-keywords/test.rules
@@ -1,4 +1,7 @@
 alert smtp any any -> any any (msg:"SMTP helo GP"; smtp.helo; content:"GP"; sid:1; rev:1;)
+alert smtp any any -> any any (msg:"SMTP mail_from"; smtp.mail_from; content:"<gurpartap@patriots.in>"; sid:2; rev:1;)
+
 
 # signatures not matching
 alert smtp any any -> any any (msg:"SMTP helo not triggering"; smtp.helo; content:"not there"; sid:10; rev:1;)
+alert smtp any any -> any any (msg:"SMTP not mail_from"; smtp.mail_from; content:"spammer"; sid:12; rev:1;)

diff --git a/tests/smtp-keywords/test.yaml b/tests/smtp-keywords/test.yaml
index 6b8f28471fbcabbb951b4c3ec2743682178aa076..d0c25aa972cffdb6bb11997a3e5f472744445cda 100644 (file)
--- a/tests/smtp-keywords/test.yaml
+++ b/tests/smtp-keywords/test.yaml
@@ -15,4 +15,15 @@ checks:
     count: 0
     match:
       event_type: alert
-      alert.signature_id: 10
\ No newline at end of file
+      alert.signature_id: 10
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      smtp.mail_from: "<gurpartap@patriots.in>"
+      alert.signature_id: 2
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 12
\ No newline at end of file