--- /dev/null
+# Test Description
+
+Test some SMTP parser errors on unknown reply codes
+
+## PCAP
+
+extract from QA TLPW1
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/1125
+https://redmine.openinfosecfoundation.org/issues/5491
+https://redmine.openinfosecfoundation.org/issues/6821
--- /dev/null
+requires:
+ min-version: 8
+
+# disables checksum verification
+args:
+ - -k none
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: anomaly
+ anomaly.event: INVALID_REPLY
+ # 472 unusualz@prg-dc.dhl.com DNS A-record is empty
+ src_port: 49740
+ - filter:
+ count: 1
+ match:
+ event_type: anomaly
+ anomaly.event: INVALID_REPLY
+ # 500 5.5.1 Command unrecognized: + junk on new line
+ src_port: 49274
+ - filter:
+ count: 3
+ match:
+ event_type: anomaly
+ anomaly.event: INVALID_REPLY
+ #no anomaly for 4.7.0 [IPTS04] Messages from 173.166.146.112 temporarily deferred due to user complaints because tx got closed before
+ #src_port: 49448
+ - filter:
+ count: 1
+ match:
+ event_type: anomaly
+ anomaly.event: INVALID_REPLY
+ # client does tls hello, smtp server replies with
+ #400 4.5.2 Error: bad syntax
+ src_port: 50649
+ - filter:
+ count: 1
+ match:
+ event_type: stats
+ # no anomaly but error for 4.7.0
+ stats.app_layer.error.smtp.parser: 4
projects / thirdparty / suricata-verify.git / commitdiff
