mime: add previous suricata unit tests

mime: fix tests for bug-6207

Fix manually crafted pcaps to have valid MIME headers folding
beginning with space

And removing the test for BODY_BOUND which is becoming obsolete

diff --git a/tests/mime/mime-dec-parse-full-msg-test01/README.md b/tests/mime/mime-dec-parse-full-msg-test01/README.md
new file mode 100644 (file)
index 0000000..4f2d42d
--- /dev/null
+++ b/tests/mime/mime-dec-parse-full-msg-test01/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseFullMsgTest01.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487

diff --git a/tests/mime/mime-dec-parse-full-msg-test01/input.pcap b/tests/mime/mime-dec-parse-full-msg-test01/input.pcap
new file mode 100644 (file)
index 0000000..5e9e92d
Binary files /dev/null and b/tests/mime/mime-dec-parse-full-msg-test01/input.pcap differ

diff --git a/tests/mime/mime-dec-parse-full-msg-test01/test.yaml b/tests/mime/mime-dec-parse-full-msg-test01/test.yaml
new file mode 100644 (file)
index 0000000..f904944
--- /dev/null
+++ b/tests/mime/mime-dec-parse-full-msg-test01/test.yaml
@@ -0,0 +1,46 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1

diff --git a/tests/mime/mime-dec-parse-full-msg-test02/README.md b/tests/mime/mime-dec-parse-full-msg-test02/README.md
new file mode 100644 (file)
index 0000000..b1f1cc9
--- /dev/null
+++ b/tests/mime/mime-dec-parse-full-msg-test02/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseFullMsgTest02.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487

diff --git a/tests/mime/mime-dec-parse-full-msg-test02/input.pcap b/tests/mime/mime-dec-parse-full-msg-test02/input.pcap
new file mode 100644 (file)
index 0000000..fa58468
Binary files /dev/null and b/tests/mime/mime-dec-parse-full-msg-test02/input.pcap differ

diff --git a/tests/mime/mime-dec-parse-full-msg-test02/test.yaml b/tests/mime/mime-dec-parse-full-msg-test02/test.yaml
new file mode 100644 (file)
index 0000000..f904944
--- /dev/null
+++ b/tests/mime/mime-dec-parse-full-msg-test02/test.yaml
@@ -0,0 +1,46 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1

diff --git a/tests/mime/mime-dec-parse-line-test01/README.md b/tests/mime/mime-dec-parse-line-test01/README.md
new file mode 100644 (file)
index 0000000..1d92698
--- /dev/null
+++ b/tests/mime/mime-dec-parse-line-test01/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseLineTest01.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487

diff --git a/tests/mime/mime-dec-parse-line-test01/input.pcap b/tests/mime/mime-dec-parse-line-test01/input.pcap
new file mode 100644 (file)
index 0000000..3e8bb26
Binary files /dev/null and b/tests/mime/mime-dec-parse-line-test01/input.pcap differ

diff --git a/tests/mime/mime-dec-parse-line-test01/test.yaml b/tests/mime/mime-dec-parse-line-test01/test.yaml
new file mode 100644 (file)
index 0000000..f904944
--- /dev/null
+++ b/tests/mime/mime-dec-parse-line-test01/test.yaml
@@ -0,0 +1,46 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1

diff --git a/tests/mime/mime-dec-parse-line-test02/README.md b/tests/mime/mime-dec-parse-line-test02/README.md
new file mode 100644 (file)
index 0000000..07ee83a
--- /dev/null
+++ b/tests/mime/mime-dec-parse-line-test02/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseLineTest02.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487

diff --git a/tests/mime/mime-dec-parse-line-test02/input.pcap b/tests/mime/mime-dec-parse-line-test02/input.pcap
new file mode 100644 (file)
index 0000000..56fc12b
Binary files /dev/null and b/tests/mime/mime-dec-parse-line-test02/input.pcap differ

diff --git a/tests/mime/mime-dec-parse-line-test02/test.yaml b/tests/mime/mime-dec-parse-line-test02/test.yaml
new file mode 100644 (file)
index 0000000..3b802ce
--- /dev/null
+++ b/tests/mime/mime-dec-parse-line-test02/test.yaml
@@ -0,0 +1,47 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      email.url[0]: www.test.com/malware.exe?hahah
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1

diff --git a/tests/mime/mime-dec-parse-long-filename01/README.md b/tests/mime/mime-dec-parse-long-filename01/README.md
new file mode 100644 (file)
index 0000000..158ae96
--- /dev/null
+++ b/tests/mime/mime-dec-parse-long-filename01/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseLongFilename01.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487

diff --git a/tests/mime/mime-dec-parse-long-filename01/input.pcap b/tests/mime/mime-dec-parse-long-filename01/input.pcap
new file mode 100644 (file)
index 0000000..7707191
Binary files /dev/null and b/tests/mime/mime-dec-parse-long-filename01/input.pcap differ

diff --git a/tests/mime/mime-dec-parse-long-filename01/test.yaml b/tests/mime/mime-dec-parse-long-filename01/test.yaml
new file mode 100644 (file)
index 0000000..701e468
--- /dev/null
+++ b/tests/mime/mime-dec-parse-long-filename01/test.yaml
@@ -0,0 +1,86 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: MIME_LONG_FILENAME
+      anomaly.layer: proto_parser
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 14
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.attachment[0]: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      app_proto: smtp
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.attachment[0]: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: fileinfo
+      fileinfo.filename: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c
+      fileinfo.gaps: false
+      fileinfo.size: 25
+      fileinfo.state: CLOSED
+      fileinfo.stored: false
+      fileinfo.tx_id: 0
+      pcap_cnt: 15
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1

diff --git a/tests/mime/mime-dec-parse-long-filename02/README.md b/tests/mime/mime-dec-parse-long-filename02/README.md
new file mode 100644 (file)
index 0000000..4821e29
--- /dev/null
+++ b/tests/mime/mime-dec-parse-long-filename02/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseLongFilename02.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487

diff --git a/tests/mime/mime-dec-parse-long-filename02/input.pcap b/tests/mime/mime-dec-parse-long-filename02/input.pcap
new file mode 100644 (file)
index 0000000..91cd1f3
Binary files /dev/null and b/tests/mime/mime-dec-parse-long-filename02/input.pcap differ

diff --git a/tests/mime/mime-dec-parse-long-filename02/test.yaml b/tests/mime/mime-dec-parse-long-filename02/test.yaml
new file mode 100644 (file)
index 0000000..aa1581f
--- /dev/null
+++ b/tests/mime/mime-dec-parse-long-filename02/test.yaml
@@ -0,0 +1,71 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.attachment[0]: 12characters12characters12characters.exe
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      app_proto: smtp
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.attachment[0]: 12characters12characters12characters.exe
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: fileinfo
+      fileinfo.filename: 12characters12characters12characters.exe
+      fileinfo.gaps: false
+      fileinfo.size: 25
+      fileinfo.state: CLOSED
+      fileinfo.stored: false
+      fileinfo.tx_id: 0
+      pcap_cnt: 15
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1

diff --git a/tests/mime/mime-dec-parse-odd-len/README.md b/tests/mime/mime-dec-parse-odd-len/README.md
new file mode 100644 (file)
index 0000000..b5f1032
--- /dev/null
+++ b/tests/mime/mime-dec-parse-odd-len/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseOddLen.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487

diff --git a/tests/mime/mime-dec-parse-odd-len/input.pcap b/tests/mime/mime-dec-parse-odd-len/input.pcap
new file mode 100644 (file)
index 0000000..e1b7326
Binary files /dev/null and b/tests/mime/mime-dec-parse-odd-len/input.pcap differ

diff --git a/tests/mime/mime-dec-parse-odd-len/test.yaml b/tests/mime/mime-dec-parse-odd-len/test.yaml
new file mode 100644 (file)
index 0000000..f904944
--- /dev/null
+++ b/tests/mime/mime-dec-parse-odd-len/test.yaml
@@ -0,0 +1,46 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1

diff --git a/tests/mime/mime-dec-parse-rem-sp/README.md b/tests/mime/mime-dec-parse-rem-sp/README.md
new file mode 100644 (file)
index 0000000..e70e497
--- /dev/null
+++ b/tests/mime/mime-dec-parse-rem-sp/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseRemSp.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487

diff --git a/tests/mime/mime-dec-parse-rem-sp/input.pcap b/tests/mime/mime-dec-parse-rem-sp/input.pcap
new file mode 100644 (file)
index 0000000..a4c5731
Binary files /dev/null and b/tests/mime/mime-dec-parse-rem-sp/input.pcap differ

diff --git a/tests/mime/mime-dec-parse-rem-sp/test.yaml b/tests/mime/mime-dec-parse-rem-sp/test.yaml
new file mode 100644 (file)
index 0000000..f904944
--- /dev/null
+++ b/tests/mime/mime-dec-parse-rem-sp/test.yaml
@@ -0,0 +1,46 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1

diff --git a/tests/mime/mime-dec-parse-small-rem-inp/README.md b/tests/mime/mime-dec-parse-small-rem-inp/README.md
new file mode 100644 (file)
index 0000000..ca2e725
--- /dev/null
+++ b/tests/mime/mime-dec-parse-small-rem-inp/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseSmallRemInp.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487

diff --git a/tests/mime/mime-dec-parse-small-rem-inp/input.pcap b/tests/mime/mime-dec-parse-small-rem-inp/input.pcap
new file mode 100644 (file)
index 0000000..1b4b1be
Binary files /dev/null and b/tests/mime/mime-dec-parse-small-rem-inp/input.pcap differ

diff --git a/tests/mime/mime-dec-parse-small-rem-inp/test.yaml b/tests/mime/mime-dec-parse-small-rem-inp/test.yaml
new file mode 100644 (file)
index 0000000..f904944
--- /dev/null
+++ b/tests/mime/mime-dec-parse-small-rem-inp/test.yaml
@@ -0,0 +1,46 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1

diff --git a/tests/mime/mime-dec-very-small-inp/README.md b/tests/mime/mime-dec-very-small-inp/README.md
new file mode 100644 (file)
index 0000000..2a5c41e
--- /dev/null
+++ b/tests/mime/mime-dec-very-small-inp/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Adapted using data from a previous specific unit test for MIME in Suricata MimeDecVerySmallInp.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487

diff --git a/tests/mime/mime-dec-very-small-inp/input.pcap b/tests/mime/mime-dec-very-small-inp/input.pcap
new file mode 100644 (file)
index 0000000..d217b51
Binary files /dev/null and b/tests/mime/mime-dec-very-small-inp/input.pcap differ

diff --git a/tests/mime/mime-dec-very-small-inp/test.yaml b/tests/mime/mime-dec-very-small-inp/test.yaml
new file mode 100644 (file)
index 0000000..f904944
--- /dev/null
+++ b/tests/mime/mime-dec-very-small-inp/test.yaml
@@ -0,0 +1,46 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1