From: Shivani Bhardwaj Date: Tue, 11 Jul 2023 16:40:40 +0000 (+0530) Subject: mime: add tests for bug 6207 X-Git-Tag: suricata-7.0.0~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=02479e29fb5a78fd7d654cdf46ba90f3be44a0ce;p=thirdparty%2Fsuricata-verify.git mime: add tests for bug 6207 --- diff --git a/tests/bug-6207-1/README.md b/tests/bug-6207-1/README.md new file mode 100644 index 000000000..7d4972111 --- /dev/null +++ b/tests/bug-6207-1/README.md @@ -0,0 +1,12 @@ +# Test Description + +This test shows that base64 encoded MIME data with invalid characters should +ideally be accepted with all invalid characters skipped. + +## PCAP + +Manually created + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6207 diff --git a/tests/bug-6207-1/input.pcap b/tests/bug-6207-1/input.pcap new file mode 100644 index 000000000..26fafb50f Binary files /dev/null and b/tests/bug-6207-1/input.pcap differ diff --git a/tests/bug-6207-1/invalid-base64-mime.syn b/tests/bug-6207-1/invalid-base64-mime.syn new file mode 100644 index 000000000..a1abf87c2 --- /dev/null +++ b/tests/bug-6207-1/invalid-base64-mime.syn @@ -0,0 +1,42 @@ +flow default tcp 1.1.1.1:5555 > 2.2.2.2:25 (tcp.initialize; mss:9000;); +default < (content:"220 smtp.server.com ESMTP Postfix\x0d\x0a";); +default > (content:"EHLO smtp.intra\x0d\x0a";); +default < (content:"250-smtp.lab.com\x0d\x0a250-PIPELINING\x0d\x0a250-SIZE 10240000\x0d\x0a250-VRFY\x0d\x0a250-ETRN\x0d\x0a250-STARTTLS\x0d\x0a250-ENHANCEDSTATUSCODES\x0d\x0a250-8BITMIME\x0d\x0a250-DSN\x0d\x0a250-SMTPUTF8\x0d\x0a250 CHUNKING\x0d\x0a";); +default > (content:"MAIL FROM:blah@smtp.lab.com\x0d\x0a";); +default < (content:"250 2.1.0 Ok\x0d\x0a";); +default > (content:"RCPT TO:test@wut.com\x0d\x0a";); +default < (content:"250 2.1.5 Ok\x0d\x0a";); +default > (content:"DATA\x0d\x0a";); +default < (content:"354 End data with .\x0d\x0a";); +default > (content:"Subject: SMTPbelka-test_sans_name2021-03-08-17:28:53-221a0d8d17b3b41e28ec113dcabb55da7bdb03a8c0bb5d3de252f5d69347aa4d.zip\x0d\x0a";); +default > (content:"Content-Type: multipart/mixed; boundary=KkK170891tpbkKk__FV_KKKkkkjjwq\x0d\x0a\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"This is a MIME formatted message. If you see this text it means that your\x0d\x0a";); +default > (content:"email software does not support MIME formatted messages.\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"--KkK170891tpbkKk__FV_KKKkkkjjwq\x0d\x0a";); +default > (content:"Content-Type: text/plain; charset=UTF-8; format=flowed\x0d\x0a";); +default > (content:"Content-Disposition: inline\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"Ceci est un test\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"--KkK170891tpbkKk__FV_KKKkkkjjwq\x0d\x0a";); +default > (content:"Content-Type: application/zip;\x0d\x0a";); +default > (content:"Content-Transfer-Encoding: base64\x0d\x0a";); +default > (content:"Content-Disposition: attachment;\x0d\x0afilename*0=smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13;\x0d\x0afilename*1=ddf80e995fd98ae442f3be499ea928c67f..zip\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"UEsDBBQAAAAIAMGLWFIeAcE7CsgAAADIAAAdABwAc2Fpbi0yMDIxLTAyLTI0VDE3LTMwLTAxWi50\x0d\x0a";); +default > (content:"eHRVVAkAAxmNNmAZjTZgdXgLAAEEcQAAAAT+/wAAAAuA9H9xrzNtrXD6Avu6lf86JhdtXpj+V+CV\x0d\x0a";); +default > (content:"TQ3MBns/euhyQpaFS34j/1zGPp95UrLemiRgwzVyovXXbnHVAfflBmdR99srXFv4q5T5s2Lk38ZH\x0d\x0a";); +default > (content:"VUTKzuXSaeVqtozS6u9XFMZZT/8rYwuqoJXTJGoIAVRFVbljGJt/7YX05QOtUCjS5PAKoNeVMNQ5\x0d\x0a";); +default > (content:"AIZzgHnecqFuvMX3TjvZmW01SCiDnEU8nfBqsxoEn3bpPAEP9d0M8Ybl6b6L06dJEu++P6Uzo7hw\x0d\x0a";); +default > (content:"b c ;* #$%^@%)(*- \x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"--KkK170891tpbkKk__FV_KKKkkkjjwq--\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"\x0d\x0a.\x0d\x0a";); +default < (content:"250 2.0.0 Ok: queued as 5C19921E0D\x0d\x0a";); +default > (content:"quit\x0d\x0a";); +default < (content:"221 2.0.0 Bye\x0d\x0a";); diff --git a/tests/bug-6207-1/test.yaml b/tests/bug-6207-1/test.yaml new file mode 100644 index 000000000..3c8135c35 --- /dev/null +++ b/tests/bug-6207-1/test.yaml @@ -0,0 +1,30 @@ +requires: + min-version: 7 + +args: +- -k none + +exit-code: 0 + +checks: +- filter: + count: 1 + match: + app_proto: smtp + email.attachment[0]: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip + email.status: BODY_END_BOUND + event_type: fileinfo + fileinfo.filename: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip + fileinfo.size: 286 + smtp.helo: smtp.intra + smtp.mail_from: blah@smtp.lab.com + smtp.rcpt_to[0]: test@wut.com +- filter: + count: 1 + match: + email.attachment[0]: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip + email.status: PARSE_DONE + event_type: smtp + smtp.helo: smtp.intra + smtp.mail_from: blah@smtp.lab.com + smtp.rcpt_to[0]: test@wut.com diff --git a/tests/bug-6207-2/README.md b/tests/bug-6207-2/README.md new file mode 100644 index 000000000..11f5f4271 --- /dev/null +++ b/tests/bug-6207-2/README.md @@ -0,0 +1,19 @@ +# Test Description + +Test for the edge case that should be handled properly by MIME decoder while +following RFC2045. + +``` +NA= +=Mg +== +``` +should ideally get decoded to `42` as demonstrated in this test. + +## PCAP + +Manually created. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6207 diff --git a/tests/bug-6207-2/input.pcap b/tests/bug-6207-2/input.pcap new file mode 100644 index 000000000..89ac39c67 Binary files /dev/null and b/tests/bug-6207-2/input.pcap differ diff --git a/tests/bug-6207-2/invalid-base64-mime.syn b/tests/bug-6207-2/invalid-base64-mime.syn new file mode 100644 index 000000000..d8e9a1498 --- /dev/null +++ b/tests/bug-6207-2/invalid-base64-mime.syn @@ -0,0 +1,39 @@ +flow default tcp 1.1.1.1:5555 > 2.2.2.2:25 (tcp.initialize; mss:9000;); +default < (content:"220 smtp.server.com ESMTP Postfix\x0d\x0a";); +default > (content:"EHLO smtp.intra\x0d\x0a";); +default < (content:"250-smtp.lab.com\x0d\x0a250-PIPELINING\x0d\x0a250-SIZE 10240000\x0d\x0a250-VRFY\x0d\x0a250-ETRN\x0d\x0a250-STARTTLS\x0d\x0a250-ENHANCEDSTATUSCODES\x0d\x0a250-8BITMIME\x0d\x0a250-DSN\x0d\x0a250-SMTPUTF8\x0d\x0a250 CHUNKING\x0d\x0a";); +default > (content:"MAIL FROM:blah@smtp.lab.com\x0d\x0a";); +default < (content:"250 2.1.0 Ok\x0d\x0a";); +default > (content:"RCPT TO:test@wut.com\x0d\x0a";); +default < (content:"250 2.1.5 Ok\x0d\x0a";); +default > (content:"DATA\x0d\x0a";); +default < (content:"354 End data with .\x0d\x0a";); +default > (content:"Subject: SMTPbelka-test_sans_name2021-03-08-17:28:53-221a0d8d17b3b41e28ec113dcabb55da7bdb03a8c0bb5d3de252f5d69347aa4d.zip\x0d\x0a";); +default > (content:"Content-Type: multipart/mixed; boundary=KkK170891tpbkKk__FV_KKKkkkjjwq\x0d\x0a\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"This is a MIME formatted message. If you see this text it means that your\x0d\x0a";); +default > (content:"email software does not support MIME formatted messages.\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"--KkK170891tpbkKk__FV_KKKkkkjjwq\x0d\x0a";); +default > (content:"Content-Type: text/plain; charset=UTF-8; format=flowed\x0d\x0a";); +default > (content:"Content-Disposition: inline\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"Ceci est un test\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"--KkK170891tpbkKk__FV_KKKkkkjjwq\x0d\x0a";); +default > (content:"Content-Type: application/zip;\x0d\x0a";); +default > (content:"Content-Transfer-Encoding: base64\x0d\x0a";); +default > (content:"Content-Disposition: attachment;\x0d\x0afilename*0=smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13;\x0d\x0afilename*1=ddf80e995fd98ae442f3be499ea928c67f..zip\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"NA=\x0d\x0a";); +default > (content:"=Mg\x0d\x0a";); +default > (content:"==\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"--KkK170891tpbkKk__FV_KKKkkkjjwq--\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"\x0d\x0a.\x0d\x0a";); +default < (content:"250 2.0.0 Ok: queued as 5C19921E0D\x0d\x0a";); +default > (content:"quit\x0d\x0a";); +default < (content:"221 2.0.0 Bye\x0d\x0a";); diff --git a/tests/bug-6207-2/suricata.rules b/tests/bug-6207-2/suricata.rules new file mode 100644 index 000000000..da357e39f --- /dev/null +++ b/tests/bug-6207-2/suricata.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg: "Test file content"; file.data; content:"42"; sid:1;) diff --git a/tests/bug-6207-2/suricata.yaml b/tests/bug-6207-2/suricata.yaml new file mode 100644 index 000000000..e1ced9b5f --- /dev/null +++ b/tests/bug-6207-2/suricata.yaml @@ -0,0 +1,24 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert + - files + - smtp + - anomaly + - file-store: + version: 2 + enabled: yes + force-filestore: yes +app-layer: + protocols: + smtp: + enabled: yes + raw-extraction: no + mime: + decode-mime: yes + decode-base64: yes + decode-quoted-printable: yes diff --git a/tests/bug-6207-2/test.yaml b/tests/bug-6207-2/test.yaml new file mode 100644 index 000000000..c038e96be --- /dev/null +++ b/tests/bug-6207-2/test.yaml @@ -0,0 +1,34 @@ +requires: + min-version: 7 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + app_proto: smtp + email.attachment[0]: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip + event_type: fileinfo + fileinfo.filename: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip + fileinfo.size: 2 + fileinfo.state: CLOSED + fileinfo.sha256: 73475cb40a568e8da8a045ced110137e159f890ac4da883b6b17dc651b3a8049 + smtp.helo: smtp.intra + smtp.mail_from: blah@smtp.lab.com + smtp.rcpt_to[0]: test@wut.com +- filter: + count: 1 + match: + email.attachment[0]: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip + email.status: PARSE_DONE + event_type: smtp + smtp.helo: smtp.intra + smtp.mail_from: blah@smtp.lab.com + smtp.rcpt_to[0]: test@wut.com +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1