From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Fri, 5 May 2023 08:24:15 +0000 (+0530)
Subject: smtp: add test for long DATA post boundary
X-Git-Tag: suricata-6.0.16~47
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1353d1ac55d4dd0c86574a5bfa3d019e95ab8432;p=thirdparty%2Fsuricata-verify.git

smtp: add test for long DATA post boundary
---

diff --git a/tests/smtp-bug-5981/README.md b/tests/smtp-bug-5981/README.md
new file mode 100644
index 000000000..4d4bd09e6
--- /dev/null
+++ b/tests/smtp-bug-5981/README.md
@@ -0,0 +1,12 @@
+# Test Description
+
+This test shows how we handle long DATA lines for SMTP.
+
+## PCAP
+
+PCAP comes from ttps://osqa-ask.wireshark.org/questions/33094/extract-an-attachment-email-smtp-cap
+and has been modified to have a really long DATA line (6512 Bytes).
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/5981
diff --git a/tests/smtp-bug-5981/input.pcap b/tests/smtp-bug-5981/input.pcap
new file mode 100644
index 000000000..64e9c59d0
Binary files /dev/null and b/tests/smtp-bug-5981/input.pcap differ
diff --git a/tests/smtp-bug-5981/suricata.yaml b/tests/smtp-bug-5981/suricata.yaml
new file mode 100644
index 000000000..68e84b7f3
--- /dev/null
+++ b/tests/smtp-bug-5981/suricata.yaml
@@ -0,0 +1,14 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+        - smtp
+        - anomaly
+  - file-store:
+      version: 2
+      enabled: yes
+      force-filestore: yes
diff --git a/tests/smtp-bug-5981/test.yaml b/tests/smtp-bug-5981/test.yaml
new file mode 100644
index 000000000..1ebf6673e
--- /dev/null
+++ b/tests/smtp-bug-5981/test.yaml
@@ -0,0 +1,64 @@
+requires:
+  features:
+    - HAVE_NSS
+  min-version: 7
+
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: anomaly
+      src_ip: 192.168.1.4
+      src_port: 3326
+      dest_ip: 217.12.11.66
+      dest_port: 587
+      proto: TCP
+      pkt_src: wire/pcap
+      tx_id: 0
+      anomaly.app_proto: smtp
+      anomaly.type: applayer
+      anomaly.event: TRUNCATED_LINE
+      anomaly.layer: proto_parser
+
+- filter:
+    count: 1
+    match:
+      event_type: fileinfo
+      fileinfo.filename: winmail.dat
+      fileinfo.sha256: 5f41c213e35d8421647181cc9b8925a5b2ab34c23102907581214fd574157fff
+      fileinfo.size: 10451
+
+- filter:
+    count: 1
+    match:
+      event_type: smtp
+      src_ip: 192.168.1.4
+      src_port: 3326
+      dest_ip: 217.12.11.66
+      dest_port: 587
+      proto: TCP
+      pkt_src: wire/pcap
+      tx_id: 0
+      smtp.helo: Percival
+      smtp.mail_from: <xxxxxx@xxxxx.co.uk>
+      smtp.rcpt_to[0]: <xxxxxx@xxxxx.co.uk>
+      email.status: PARSE_DONE
+      email.from: '"Xxxxxx xxxx" <xxxxxx@xxxxx.co.uk>'
+      email.to[0]: <xxxxxx@xxxxx.co.uk>
+
+- filter:
+    count: 1
+    match:
+      event_type: smtp
+      src_ip: 192.168.1.4
+      src_port: 3326
+      dest_ip: 217.12.11.66
+      dest_port: 587
+      proto: TCP
+      pkt_src: stream (flow timeout)
+      tx_id: 1
+      smtp.helo: Percival