From: Victor Julien Date: Thu, 20 Nov 2025 12:46:10 +0000 (-0500) Subject: tests: add pop3 auth test X-Git-Tag: suricata-7.0.14~33 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=366200b9bbb1044a6b72be2e06273e60aa334d25;p=thirdparty%2Fsuricata-verify.git tests: add pop3 auth test Based on real traffic recreated with flowsynth to protect privacy. --- diff --git a/tests/pop3-auth-01/Makefile b/tests/pop3-auth-01/Makefile new file mode 100644 index 000000000..b57781dba --- /dev/null +++ b/tests/pop3-auth-01/Makefile @@ -0,0 +1,3 @@ +input.pcap: pop3.syn + flowsynth.py -f pcap -w $@ $^ + diff --git a/tests/pop3-auth-01/input.pcap b/tests/pop3-auth-01/input.pcap new file mode 100644 index 000000000..5cf16d662 Binary files /dev/null and b/tests/pop3-auth-01/input.pcap differ diff --git a/tests/pop3-auth-01/pop3.syn b/tests/pop3-auth-01/pop3.syn new file mode 100644 index 000000000..7e52187aa --- /dev/null +++ b/tests/pop3-auth-01/pop3.syn @@ -0,0 +1,14 @@ +flow default tcp 1.1.1.1:5555 > 2.2.2.2:110 (tcp.initialize; mss:9000;); +default > (content:"CAPA\x0d\x0a";); +default < (content:"+OK Capability list follows\x0d\x0aUSER\x0d\x0aRESP-CODES\x0d\x0aEXPIRE 0\x0d\x0aLOGIN-DELAY 300\x0d\x0aTOP\x0d\x0aUIDL\x0d\x0aX-GOOGLE-RICO\x0d\x0aSASL PLAIN XOAUTH2 OAUTHBEARER\x0d\x0a.\x0d\x0a";); +default > (content:"AUTH XOAUTH2\x0d\x0a";); +default < (content:"+ \x0d\x0a";); +default > (content:"dXNlcj1qb2Uuc3BlZWRib2F0AWF1dGg9QmVhcmVyIEFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUEBAQ==\x0d\x0a";); +default < (content:"+OK Welcome.\x0d\x0a";); +default > (content:"STAT\x0d\x0a";); +default < (content:"+OK 1 308661\x0d\x0a";); +default > (content:"LIST\x0d\x0a";); +default < (content:"+OK 1 messages (308661 bytes)\x0d\x0a1 308661\x0d\x0a.\x0d\x0a";); +default > (content:"UIDL\x0d\x0a";); +default < (content:"+OK\x0d\x0a1 GmailId123456789\x0d\x0a.\x0d\x0a";); +default > (content:"QUIT\x0d\x0a";); diff --git a/tests/pop3-auth-01/test.yaml b/tests/pop3-auth-01/test.yaml new file mode 100644 index 000000000..be7193136 --- /dev/null +++ b/tests/pop3-auth-01/test.yaml @@ -0,0 +1,119 @@ +requires: + version: 9 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 2.2.2.2 + dest_port: 110 + event_type: pop3 + ip_v: 4 + pcap_cnt: 7 + pop3.request.command: CAPA + pop3.response.data[0]: USER + pop3.response.data[1]: RESP-CODES + pop3.response.data[2]: EXPIRE 0 + pop3.response.data[3]: LOGIN-DELAY 300 + pop3.response.data[4]: TOP + pop3.response.data[5]: UIDL + pop3.response.data[6]: X-GOOGLE-RICO + pop3.response.data[7]: SASL PLAIN XOAUTH2 OAUTHBEARER + pop3.response.header: Capability list follows + pop3.response.status: OK + pop3.response.success: true + proto: TCP + src_ip: 1.1.1.1 + src_port: 5555 +- filter: + count: 1 + match: + dest_ip: 2.2.2.2 + dest_port: 110 + event_type: pop3 + ip_v: 4 + pcap_cnt: 11 + pop3.request.args[0]: XOAUTH2 + pop3.request.command: AUTH + pop3.response.header: '' + pop3.response.status: OK + pop3.response.success: true + proto: TCP + src_ip: 1.1.1.1 + src_port: 5555 +- filter: + count: 1 + match: + dest_ip: 2.2.2.2 + dest_port: 110 + event_type: pop3 + ip_v: 4 + pcap_cnt: 15 + pop3.request.command: + pop3.response.header: Welcome. + pop3.response.status: OK + pop3.response.success: true + proto: TCP + src_ip: 1.1.1.1 + src_port: 5555 +- filter: + count: 1 + match: + dest_ip: 2.2.2.2 + dest_port: 110 + event_type: pop3 + ip_v: 4 + pcap_cnt: 19 + pop3.request.command: STAT + pop3.response.header: 1 308661 + pop3.response.status: OK + pop3.response.success: true + proto: TCP + src_ip: 1.1.1.1 + src_port: 5555 +- filter: + count: 1 + match: + dest_ip: 2.2.2.2 + dest_port: 110 + event_type: pop3 + ip_v: 4 + pcap_cnt: 23 + pop3.request.command: LIST + pop3.response.data[0]: 1 308661 + pop3.response.header: 1 messages (308661 bytes) + pop3.response.status: OK + pop3.response.success: true + proto: TCP + src_ip: 1.1.1.1 + src_port: 5555 +- filter: + count: 1 + match: + dest_ip: 2.2.2.2 + dest_port: 110 + event_type: pop3 + ip_v: 4 + pcap_cnt: 27 + pop3.request.command: UIDL + pop3.response.data[0]: 1 GmailId123456789 + pop3.response.header: '' + pop3.response.status: OK + pop3.response.success: true + proto: TCP + src_ip: 1.1.1.1 + src_port: 5555 +- filter: + count: 1 + match: + dest_ip: 2.2.2.2 + dest_port: 110 + event_type: pop3 + ip_v: 4 + pop3.request.command: QUIT + proto: TCP + src_ip: 1.1.1.1 + src_port: 5555