From: Alice Akaki Date: Wed, 9 Apr 2025 21:47:21 +0000 (-0400) Subject: detect: add test for email.received keyword X-Git-Tag: suricata-7.0.11~90 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2a2713e45ced5d06bdb96f03e827b55b7a3a9b1f;p=thirdparty%2Fsuricata-verify.git detect: add test for email.received keyword Ticket: #7599 --- diff --git a/tests/detect-email-received/Makefile b/tests/detect-email-received/Makefile new file mode 100644 index 000000000..56a83ff51 --- /dev/null +++ b/tests/detect-email-received/Makefile @@ -0,0 +1,3 @@ +input.pcap: smtp.syn + flowsynth.py -f pcap -w $@ $^ + diff --git a/tests/detect-email-received/README.md b/tests/detect-email-received/README.md new file mode 100644 index 000000000..1a35343fc --- /dev/null +++ b/tests/detect-email-received/README.md @@ -0,0 +1,8 @@ +# Test Description +Test mime email.received keyword + +## PCAP +From created with Flowsynth + +## Redmine Ticket +https://redmine.openinfosecfoundation.org/issues/7599 diff --git a/tests/detect-email-received/input.pcap b/tests/detect-email-received/input.pcap new file mode 100644 index 000000000..e911564e8 Binary files /dev/null and b/tests/detect-email-received/input.pcap differ diff --git a/tests/detect-email-received/smtp.syn b/tests/detect-email-received/smtp.syn new file mode 100644 index 000000000..32baa8c56 --- /dev/null +++ b/tests/detect-email-received/smtp.syn @@ -0,0 +1,32 @@ +flow default tcp 1.1.1.1:5555 > 2.2.2.2:25 (tcp.initialize; mss:9000;); +default < (content:"220 smtpblah.mailserver.xxx.com ESMTP AAAAAAAAA";); +default > (content:"EHLO Simone\x0d\x0a";); +default < (content:"250-smtp001.mail.xxx.xxxxx.com\x0d\x0a";); +default > (content:"MAIL FROM: \x0d\x0a";); +default < (content:"250 ok\x0d\x0a";); +default > (content:"RCPT TO: \x0d\x0a";); +default < (content:"250 ok\x0d\x0a";); +default > (content:"RCPT TO: \x0d\x0a";); +default < (content:"250 ok\x0d\x0a";); +default > (content:"RCPT TO: \x0d\x0a";); +default < (content:"250 ok\x0d\x0a";); +default > (content:"RCPT TO: \x0d\x0a";); +default < (content:"250 ok\x0d\x0a";); +default > (content:"RCPT TO: \x0d\x0a";); +default < (content:"250 ok\x0d\x0a";); +default > (content:"DATA\x0d\x0a";); +default < (content:"354 Start mail input; end with .\x0d\x0a";); +default > (content:"Subject: Test Email\x0d\x0a";); +default > (content:"Received: from client.local (client.local [10.0.0.1]) by smtp.relay1.com with ESMTP id relay1abc; Thu, 10 Apr 2025 12:00:00 -0000\x0d\x0a";); +default > (content:"Received: from smtp.relay1.com (smtp.relay1.com [10.0.0.10]) by smtp.relay2.com with ESMTP id relay2xyz; Thu, 10 Apr 2025 12:01:00 -0000\x0d\x0a";); +default > (content:"Received: from smtp.relay2.com (smtp.relay2.com [10.0.0.20]) by smtp.destination.com with ESMTP id final123; Thu, 10 Apr 2025 12:02:00 -0000\x0d\x0a";); +default > (content:"From: \x0d\x0a";); +default > (content:"To: , \x0d\x0a";); +default > (content:"Cc: cc0 , cc1 , cc2 \x0d\x0a";); +default > (content:"Content-Type: text/plain; charset=UTF-8\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"Hello, this is a test email.\x0d\x0a";); +default > (content:".\x0d\x0a";); +default < (content:"250 ok: queued as 12345\x0d\x0a";); +default > (content:"QUIT\x0d\x0a";); +default < (content:"221 smtp001.mail.xxx.xxxxx.com\x0d\x0a";); \ No newline at end of file diff --git a/tests/detect-email-received/suricata.yaml b/tests/detect-email-received/suricata.yaml new file mode 100644 index 000000000..ae9468a98 --- /dev/null +++ b/tests/detect-email-received/suricata.yaml @@ -0,0 +1,29 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filename: eve.json + types: + - alert: + tagged-packets: yes + - smtp: + custom: [received] # for 'received' logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + - stats + - flow + - stats: + enabled: yes + filename: stats.log + append: yes + +action-order: + - pass + - drop + - reject + - alert + +exception-policy: ignore diff --git a/tests/detect-email-received/test.rules b/tests/detect-email-received/test.rules new file mode 100644 index 000000000..2e78973da --- /dev/null +++ b/tests/detect-email-received/test.rules @@ -0,0 +1,3 @@ +alert smtp any any -> any any (msg:"Test mime email received"; email.received; content:"from client.local (client.local [10.0.0.1]) by smtp.relay1.com with ESMTP id relay1abc\; Thu, 10 Apr 2025 12:00:00 -0000"; startswith; endswith; bsize:119; sid:1;) +alert smtp any any -> any any (msg:"Test mime email received"; email.received; content:"from smtp.relay1.com (smtp.relay1.com [10.0.0.10]) by smtp.relay2.com with ESMTP id relay2xyz\; Thu, 10 Apr 2025 12:01:00 -0000"; startswith; endswith; bsize:126; sid:2;) +alert smtp any any -> any any (msg:"Test mime email received"; email.received; content:"from smtp.relay2.com (smtp.relay2.com [10.0.0.20]) by smtp.destination.com with ESMTP id final123\; Thu, 10 Apr 2025 12:02:00 -0000"; startswith; endswith; bsize:130; sid:3;) diff --git a/tests/detect-email-received/test.yaml b/tests/detect-email-received/test.yaml new file mode 100644 index 000000000..334e13c60 --- /dev/null +++ b/tests/detect-email-received/test.yaml @@ -0,0 +1,37 @@ +requires: + min-version: 8 + +args: + - -k none --set stream.inline=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: smtp + email.received[0]: "from client.local (client.local [10.0.0.1]) by smtp.relay1.com with ESMTP id relay1abc; Thu, 10 Apr 2025 12:00:00 -0000" +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: smtp + email.received[1]: "from smtp.relay1.com (smtp.relay1.com [10.0.0.10]) by smtp.relay2.com with ESMTP id relay2xyz; Thu, 10 Apr 2025 12:01:00 -0000" +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 1 + match: + event_type: smtp + email.received[2]: "from smtp.relay2.com (smtp.relay2.com [10.0.0.20]) by smtp.destination.com with ESMTP id final123; Thu, 10 Apr 2025 12:02:00 -0000"