From: Victor Julien Date: Mon, 18 Jan 2021 09:41:12 +0000 (+0100) Subject: tests: add bug 1045 test X-Git-Tag: suricata-6.0.4~185 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3d4e1b1a8a75290a78bdad414ba27245e56c1e07;p=thirdparty%2Fsuricata-verify.git tests: add bug 1045 test --- diff --git a/tests/bug-1045/smtp.rules b/tests/bug-1045/smtp.rules new file mode 100644 index 000000000..33bd3b1a6 --- /dev/null +++ b/tests/bug-1045/smtp.rules @@ -0,0 +1,5 @@ +# by rmkml +alert tcp any any -> any 25 (msg:"SMTP EHLO"; flow:to_server,established; content:"EHLO "; flowbits:set,smtp.helo.found; classtype:attempted-user; sid:1; rev:1;) +alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established; flowbits:isset,smtp.helo.found; content:"DATA"; flowbits:unset,smtp.helo.found; flowbits:set,smtp.data.found; classtype:attempted-admin; sid:2; rev:1;) +alert tcp any any -> any 25 (msg:"SMTP Subject"; flow:to_server,established; flowbits:isset,smtp.data.found; content:"Subject|3A| test email"; classtype:attempted-admin; sid:3; rev:1;) + diff --git a/tests/bug-1045/smtpsuricataflowbitsFN.pcap b/tests/bug-1045/smtpsuricataflowbitsFN.pcap new file mode 100644 index 000000000..9e1f279bd Binary files /dev/null and b/tests/bug-1045/smtpsuricataflowbitsFN.pcap differ diff --git a/tests/bug-1045/test.yaml b/tests/bug-1045/test.yaml new file mode 100644 index 000000000..3989317a0 --- /dev/null +++ b/tests/bug-1045/test.yaml @@ -0,0 +1,30 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 3 + match: + event_type: alert + src_ip: "88.191.140.111" + src_port: 51906 + dest_ip: "188.125.69.79" + dest_port: 25 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + +