detect-file-data: add tests for SMTP file data

Task: 4938

diff --git a/tests/smtp-file-data-01/README.md b/tests/smtp-file-data-01/README.md
new file mode 100644 (file)
index 0000000..b6b2800
--- /dev/null
+++ b/tests/smtp-file-data-01/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test file_data keyword against smtp
+
+# PCAP
+
+The pcap comes from https://github.com/cisco-system-traffic-generator/trex-profiles/blob/master/Mellanox/Traffic_Mix_v1/pcaps_for_application_mix_v1/SMTP_IXIA_98P_253B.pcap

diff --git a/tests/smtp-file-data-01/input.pcap b/tests/smtp-file-data-01/input.pcap
new file mode 100644 (file)
index 0000000..b3c8f53
Binary files /dev/null and b/tests/smtp-file-data-01/input.pcap differ

diff --git a/tests/smtp-file-data-01/test.rules b/tests/smtp-file-data-01/test.rules
new file mode 100644 (file)
index 0000000..b30aba0
--- /dev/null
+++ b/tests/smtp-file-data-01/test.rules
@@ -0,0 +1 @@
+alert smtp any any -> any any (msg:"file_data smtp test"; file_data; content:"if was"; sid:1;)

diff --git a/tests/smtp-file-data-01/test.yaml b/tests/smtp-file-data-01/test.yaml
new file mode 100644 (file)
index 0000000..041de7d
--- /dev/null
+++ b/tests/smtp-file-data-01/test.yaml
@@ -0,0 +1,74 @@
+requires:
+  min-version: 6
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 1.2.190.250
+      dest_port: 25
+      email.attachment[0]: J.txt
+      email.from: <sender@example.com>
+      email.status: PARSE_DONE
+      email.to[0]: <recipient@example.com>
+      event_type: smtp
+      pcap_cnt: 89
+      proto: TCP
+      smtp.helo: client-1016363.example.int
+      smtp.mail_from: <sender@example.com>
+      smtp.rcpt_to[0]: <recipient@example.com>
+      src_ip: 1.1.205.22
+      src_port: 4053
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: file_data smtp test
+      alert.signature_id: 1
+      app_proto: smtp
+      app_proto_tc: failed
+      dest_ip: 1.2.190.250
+      dest_port: 25
+      email.attachment[0]: J.txt
+      email.from: <sender@example.com>
+      email.status: PARSE_DONE
+      email.to[0]: <recipient@example.com>
+      event_type: alert
+      files[0].filename: J.txt
+      files[0].gaps: false
+      files[0].size: 16386
+      files[0].state: CLOSED
+      files[0].stored: false
+      files[0].tx_id: 0
+      flow.bytes_toclient: 2928
+      flow.bytes_toserver: 21322
+      flow.pkts_toclient: 34
+      flow.pkts_toserver: 57
+      pcap_cnt: 91
+      proto: TCP
+      smtp.helo: client-1016363.example.int
+      smtp.mail_from: <sender@example.com>
+      smtp.rcpt_to[0]: <recipient@example.com>
+      src_ip: 1.1.205.22
+      src_port: 4053
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 1.2.190.250
+      dest_port: 25
+      event_type: smtp
+      pcap_cnt: 98
+      proto: TCP
+      smtp.helo: client-1016363.example.int
+      src_ip: 1.1.205.22
+      src_port: 4053
+      tx_id: 1

diff --git a/tests/smtp-file-data-02/README.md b/tests/smtp-file-data-02/README.md
new file mode 100644 (file)
index 0000000..8eff269
--- /dev/null
+++ b/tests/smtp-file-data-02/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test file_data keyword against smtp for fragmented data
+
+# PCAP
+
+The pcap comes from https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/smtp.pcap

diff --git a/tests/smtp-file-data-02/input.pcap b/tests/smtp-file-data-02/input.pcap
new file mode 100644 (file)
index 0000000..931b43b
Binary files /dev/null and b/tests/smtp-file-data-02/input.pcap differ

diff --git a/tests/smtp-file-data-02/test.rules b/tests/smtp-file-data-02/test.rules
new file mode 100644 (file)
index 0000000..74276d9
--- /dev/null
+++ b/tests/smtp-file-data-02/test.rules
@@ -0,0 +1 @@
+alert smtp any any -> any any (msg:"file_data smtp test"; file_data; content:"Added"; sid:1;)

diff --git a/tests/smtp-file-data-02/test.yaml b/tests/smtp-file-data-02/test.yaml
new file mode 100644 (file)
index 0000000..b031709
--- /dev/null
+++ b/tests/smtp-file-data-02/test.yaml
@@ -0,0 +1,74 @@
+requires:
+  min-version: 6
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 74.53.140.153
+      dest_port: 25
+      email.attachment[0]: NEWS.txt
+      email.from: '"Gurpartap Singh" <gurpartap@patriots.in>'
+      email.status: PARSE_DONE
+      email.to[0]: <raj_deol2002in@yahoo.co.in>
+      event_type: smtp
+      pcap_cnt: 51
+      proto: TCP
+      smtp.helo: GP
+      smtp.mail_from: <gurpartap@patriots.in>
+      smtp.rcpt_to[0]: <raj_deol2002in@yahoo.co.in>
+      src_ip: 10.10.1.4
+      src_port: 1470
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: file_data smtp test
+      alert.signature_id: 1
+      app_proto: smtp
+      app_proto_tc: failed
+      dest_ip: 74.53.140.153
+      dest_port: 25
+      email.attachment[0]: NEWS.txt
+      email.from: '"Gurpartap Singh" <gurpartap@patriots.in>'
+      email.status: PARSE_DONE
+      email.to[0]: <raj_deol2002in@yahoo.co.in>
+      event_type: alert
+      files[0].filename: NEWS.txt
+      files[0].gaps: false
+      files[0].size: 10735
+      files[0].state: CLOSED
+      files[0].stored: false
+      files[0].tx_id: 0
+      flow.bytes_toclient: 4118
+      flow.bytes_toserver: 21897
+      flow.pkts_toclient: 26
+      flow.pkts_toserver: 25
+      pcap_cnt: 53
+      proto: TCP
+      smtp.helo: GP
+      smtp.mail_from: <gurpartap@patriots.in>
+      smtp.rcpt_to[0]: <raj_deol2002in@yahoo.co.in>
+      src_ip: 10.10.1.4
+      src_port: 1470
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 74.53.140.153
+      dest_port: 25
+      event_type: smtp
+      pcap_cnt: 58
+      proto: TCP
+      smtp.helo: GP
+      src_ip: 10.10.1.4
+      src_port: 1470
+      tx_id: 1