tests: smtp frames tests

diff --git a/tests/smtp-long-DATA-line-02-frames/README.md b/tests/smtp-long-DATA-line-02-frames/README.md
new file mode 100644 (file)
index 0000000..64bd612
--- /dev/null
+++ b/tests/smtp-long-DATA-line-02-frames/README.md
@@ -0,0 +1,8 @@
+# Test Description
+
+This test shows how we handle SMTP frames.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/5981
+https://redmine.openinfosecfoundation.org/issues/4905

diff --git a/tests/smtp-long-DATA-line-02-frames/suricata.yaml b/tests/smtp-long-DATA-line-02-frames/suricata.yaml
new file mode 100644 (file)
index 0000000..e1ced9b
--- /dev/null
+++ b/tests/smtp-long-DATA-line-02-frames/suricata.yaml
@@ -0,0 +1,24 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert
+        - files
+        - smtp
+        - anomaly
+  - file-store:
+      version: 2
+      enabled: yes
+      force-filestore: yes
+app-layer:
+  protocols:
+    smtp:
+      enabled: yes
+      raw-extraction: no
+      mime:
+        decode-mime: yes
+        decode-base64: yes
+        decode-quoted-printable: yes

diff --git a/tests/smtp-long-DATA-line-02-frames/test.rules b/tests/smtp-long-DATA-line-02-frames/test.rules
new file mode 100644 (file)
index 0000000..6b545fe
--- /dev/null
+++ b/tests/smtp-long-DATA-line-02-frames/test.rules
@@ -0,0 +1,8 @@
+alert smtp any any -> any any (frame:smtp.command_line; content:"MAIL|20|FROM:"; startswith; content:"xxxxx.co.uk"; distance:0; content:">|0d 0a|"; endswith; sid:1;)
+alert smtp any any -> any any (frame:smtp.data; content:"Reply-To:"; startswith; content:"Subject"; distance:0; content:"This is a multi-part message in MIME format."; distance:0; sid:2;)
+alert smtp any any -> any any (frame:smtp.response_line; content:"220 smtp001.mail.xxx.xxxxx.com ESMTP"; startswith; sid:3;)
+alert smtp any any -> any any (frame:smtp.stream; content:"|0d 0a|.|0d 0a|"; sid:4;)
+alert smtp any any -> any any (frame:smtp.command_line; base64_decode; base64_data; content:"galunt"; sid:5;)
+alert smtp any any -> any any (flow:only_stream; content:"|0d 0a|.|0d 0a|"; sid:6;)
+alert smtp any any -> any any (frame:smtp.response_line; content:"354 go ahead"; startswith; sid:7;)
+alert smtp any any -> any any (frame:smtp.response_line; content:"250 ok"; startswith; sid:8;)

diff --git a/tests/smtp-long-DATA-line-02-frames/test.yaml b/tests/smtp-long-DATA-line-02-frames/test.yaml
new file mode 100644 (file)
index 0000000..346daab
--- /dev/null
+++ b/tests/smtp-long-DATA-line-02-frames/test.yaml
@@ -0,0 +1,54 @@
+requires:
+  min-version: 8
+
+pcap: ../smtp-long-DATA-line/input.pcap
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 2
+      frame.tx_id: 0
+      smtp.helo: Percival
+      files[0].filename: "winmail.dat"
+      frame.type: data
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 3
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 4
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 5
+      frame.type: command_line
+      frame.tx_id: 0
+      smtp.helo: Percival
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 6
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 7
+      frame.type: response_line
+      frame.payload_printable: "354 go ahead\r\n"
+      frame.tx_id: 0
+      smtp.helo: Percival
+- filter:
+    count: 3
+    match:
+      alert.signature_id: 8
+      frame.type: response_line
+      frame.tx_id: 0

diff --git a/tests/smtp-long-DATA-line-03-frames-ips/README.md b/tests/smtp-long-DATA-line-03-frames-ips/README.md
new file mode 100644 (file)
index 0000000..21d6232
--- /dev/null
+++ b/tests/smtp-long-DATA-line-03-frames-ips/README.md
@@ -0,0 +1,9 @@
+# Test Description
+
+This test shows how we handle SMTP frames in IPS mode.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/5981
+https://redmine.openinfosecfoundation.org/issues/6718
+https://redmine.openinfosecfoundation.org/issues/4905

diff --git a/tests/smtp-long-DATA-line-03-frames-ips/suricata.yaml b/tests/smtp-long-DATA-line-03-frames-ips/suricata.yaml
new file mode 100644 (file)
index 0000000..e1ced9b
--- /dev/null
+++ b/tests/smtp-long-DATA-line-03-frames-ips/suricata.yaml
@@ -0,0 +1,24 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert
+        - files
+        - smtp
+        - anomaly
+  - file-store:
+      version: 2
+      enabled: yes
+      force-filestore: yes
+app-layer:
+  protocols:
+    smtp:
+      enabled: yes
+      raw-extraction: no
+      mime:
+        decode-mime: yes
+        decode-base64: yes
+        decode-quoted-printable: yes

diff --git a/tests/smtp-long-DATA-line-03-frames-ips/test.rules b/tests/smtp-long-DATA-line-03-frames-ips/test.rules
new file mode 100644 (file)
index 0000000..e17f5f3
--- /dev/null
+++ b/tests/smtp-long-DATA-line-03-frames-ips/test.rules
@@ -0,0 +1,5 @@
+alert smtp any any -> any any (frame:smtp.command_line; content:"MAIL|20|FROM:"; startswith; content:"xxxxx.co.uk"; distance:0; content:">|0d 0a|"; endswith; sid:1;)
+alert smtp any any -> any any (frame:smtp.data; content:"Reply-To:"; startswith; content:"Subject"; distance:0; content:"This is a multi-part message in MIME format."; distance:0; sid:2;)
+alert smtp any any -> any any (frame:smtp.response_line; content:"220 smtp001.mail.xxx.xxxxx.com ESMTP"; startswith; sid:3;)
+alert smtp any any -> any any (frame:smtp.stream; content:"|0d 0a|.|0d 0a|"; sid:4;)
+alert smtp any any -> any any (flow:only_stream; content:"|0d 0a|.|0d 0a|"; sid:5;)

diff --git a/tests/smtp-long-DATA-line-03-frames-ips/test.yaml b/tests/smtp-long-DATA-line-03-frames-ips/test.yaml
new file mode 100644 (file)
index 0000000..f420a7b
--- /dev/null
+++ b/tests/smtp-long-DATA-line-03-frames-ips/test.yaml
@@ -0,0 +1,34 @@
+requires:
+  min-version: 8
+
+pcap: ../smtp-long-DATA-line/input.pcap
+
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 1
+- filter:
+    count: 2 # 2 because of multiple smtp.data updates, and we're doing sliding window
+    match:
+      alert.signature_id: 2
+      frame.type: data
+      frame.tx_id: 0
+      smtp.helo: Percival
+      files[0].filename: winmail.dat
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 3
+- filter:
+    count: 3 # 3 due to: 2 scans for data updates, 1 for end of stream
+    match:
+      alert.signature_id: 4
+- filter:
+    count: 2
+    match:
+      alert.signature_id: 5