smtp: add test for long DATA line

author Shivani Bhardwaj <shivanib134@gmail.com>

Fri, 21 Apr 2023 11:21:53 +0000 (16:51 +0530)

committer Jason Ish <jason.ish@oisf.net>

Fri, 12 May 2023 18:42:02 +0000 (12:42 -0600)
author Shivani Bhardwaj <shivanib134@gmail.com>
Fri, 21 Apr 2023 11:21:53 +0000 (16:51 +0530)
committer Jason Ish <jason.ish@oisf.net>
Fri, 12 May 2023 18:42:02 +0000 (12:42 -0600)
diff --git a/tests/smtp-long-DATA-line/README.md b/tests/smtp-long-DATA-line/README.md

new file mode 100644 (file)

index 0000000..4d4bd09
--- /dev/null
+++ b/tests/smtp-long-DATA-line/README.md
@@ -0,0 +1,12 @@
+# Test Description
+
+This test shows how we handle long DATA lines for SMTP.
+
+## PCAP
+
+PCAP comes from ttps://osqa-ask.wireshark.org/questions/33094/extract-an-attachment-email-smtp-cap
+and has been modified to have a really long DATA line (6512 Bytes).
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/5981
diff --git a/tests/smtp-long-DATA-line/input.pcap b/tests/smtp-long-DATA-line/input.pcap

new file mode 100644 (file)

index 0000000..56077e1

Binary files /dev/null and b/tests/smtp-long-DATA-line/input.pcap differ
diff --git a/tests/smtp-long-DATA-line/suricata.yaml b/tests/smtp-long-DATA-line/suricata.yaml

new file mode 100644 (file)

index 0000000..30418c5
--- /dev/null
+++ b/tests/smtp-long-DATA-line/suricata.yaml
@@ -0,0 +1,23 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+        - smtp
+        - anomaly
+  - file-store:
+      version: 2
+      enabled: yes
+      force-filestore: yes
+app-layer:
+  protocols:
+    smtp:
+      enabled: yes
+      raw-extraction: no
+      mime:
+        decode-mime: yes
+        decode-base64: yes
+        decode-quoted-printable: yes
diff --git a/tests/smtp-long-DATA-line/test.yaml b/tests/smtp-long-DATA-line/test.yaml

new file mode 100644 (file)

index 0000000..ca95814
--- /dev/null
+++ b/tests/smtp-long-DATA-line/test.yaml
@@ -0,0 +1,102 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 192.168.1.4
+      dest_port: 3326
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 217.12.11.66
+      src_port: 587
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: MIME_LONG_LINE
+      anomaly.layer: proto_parser
+      anomaly.type: applayer
+      dest_ip: 192.168.1.4
+      dest_port: 3326
+      event_type: anomaly
+      pcap_cnt: 40
+      proto: TCP
+      src_ip: 217.12.11.66
+      src_port: 587
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: MIME_LONG_ENC_LINE
+      anomaly.layer: proto_parser
+      anomaly.type: applayer
+      dest_ip: 192.168.1.4
+      dest_port: 3326
+      event_type: anomaly
+      pcap_cnt: 40
+      proto: TCP
+      src_ip: 217.12.11.66
+      src_port: 587
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 217.12.11.66
+      dest_port: 587
+      email.attachment[0]: winmail.dat
+      email.from: '"Xxxxxx xxxx" <xxxxxx@xxxxx.co.uk>'
+      email.status: PARSE_DONE
+      email.to[0]: <xxxxxx@xxxxx.co.uk>
+      event_type: smtp
+      pcap_cnt: 40
+      proto: TCP
+      smtp.helo: Percival
+      smtp.mail_from: <xxxxxx@xxxxx.co.uk>
+      smtp.rcpt_to[0]: <xxxxxx@xxxxx.co.uk>
+      src_ip: 192.168.1.4
+      src_port: 3326
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      app_proto: smtp
+      dest_ip: 217.12.11.66
+      dest_port: 587
+      email.attachment[0]: winmail.dat
+      email.from: '"Xxxxxx xxxx" <xxxxxx@xxxxx.co.uk>'
+      email.status: PARSE_DONE
+      email.to[0]: <xxxxxx@xxxxx.co.uk>
+      event_type: fileinfo
+      fileinfo.filename: winmail.dat
+      fileinfo.gaps: false
+      fileinfo.size: 10383
+      fileinfo.state: CLOSED
+      fileinfo.stored: true
+      fileinfo.sha256: "81d7ff46d57b5e79df686a72c160225d644e43c47c219f6bbdc5a6699df702d5"
+      fileinfo.tx_id: 0
+      pcap_cnt: 42
+      proto: TCP
+      smtp.helo: Percival
+      smtp.mail_from: <xxxxxx@xxxxx.co.uk>
+      smtp.rcpt_to[0]: <xxxxxx@xxxxx.co.uk>
+      src_ip: 192.168.1.4
+      src_port: 3326
+- filter:
+    count: 1
+    match:
+      dest_ip: 217.12.11.66
+      dest_port: 587
+      event_type: smtp
+      proto: TCP
+      smtp.helo: Percival
+      src_ip: 192.168.1.4
+      src_port: 3326
+      tx_id: 1
author	Shivani Bhardwaj <shivanib134@gmail.com>
	Fri, 21 Apr 2023 11:21:53 +0000 (16:51 +0530)
committer	Jason Ish <jason.ish@oisf.net>
	Fri, 12 May 2023 18:42:02 +0000 (12:42 -0600)
tests/smtp-long-DATA-line/README.md	[new file with mode: 0644]	patch \| blob
tests/smtp-long-DATA-line/input.pcap	[new file with mode: 0644]	patch \| blob
tests/smtp-long-DATA-line/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/smtp-long-DATA-line/test.yaml	[new file with mode: 0644]	patch \| blob