From: Philippe Antoine <contact@catenacyber.fr>
Date: Thu, 18 Apr 2019 13:43:17 +0000 (+0200)
Subject: Adds smtp rset test
X-Git-Tag: suricata-6.0.4~468
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4c92068230323fa9d5743c8eec844f1ff6f19984;p=thirdparty%2Fsuricata-verify.git

Adds smtp rset test

Resetting BDAT chunks length
---

diff --git a/tests/smtp-rset/README.md b/tests/smtp-rset/README.md
new file mode 100644
index 000000000..9ba2f0ccd
--- /dev/null
+++ b/tests/smtp-rset/README.md
@@ -0,0 +1,9 @@
+# Description
+
+Test smtp RSET support.
+
+# PCAP
+
+The pcap comes from running postfix 3.4.5 as a server and the present dummy python script client.py
+The client sends 2 mails (with BDAT) in one connection with RSET in between
+The point is to test that Suricata resets its smtp state
diff --git a/tests/smtp-rset/client.py b/tests/smtp-rset/client.py
new file mode 100644
index 000000000..3d51434b9
--- /dev/null
+++ b/tests/smtp-rset/client.py
@@ -0,0 +1,22 @@
+import socket
+
+def sendandrecv(sock, a):
+    sock.send(a)
+    sock.recv(2000)
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock.connect(("127.0.0.1", 25))
+data = sock.recv(2000)
+
+sendandrecv(sock,"EHLO ehlo.fr\r\n")
+sendandrecv(sock,"MAIL FROM:<username@domain.com>\r\nRCPT TO:<john.doe@example.com>\r\n")
+msg = "Message 1\r\n"
+sock.send("BDAT %d LAST\r\n" % len(msg))
+sendandrecv(sock,msg)
+sendandrecv(sock,"RSET\r\n")
+sendandrecv(sock,"MAIL FROM:<username@domain.com>\r\nRCPT TO:<john.doe@example.com>\r\n")
+msg = "Message Two\r\n"
+sock.send("BDAT %d LAST\r\n" % len(msg))
+sendandrecv(sock,msg)
+sendandrecv(sock,"QUIT\r\n")
+sock.close()
diff --git a/tests/smtp-rset/input.pcap b/tests/smtp-rset/input.pcap
new file mode 100644
index 000000000..5f44e5096
Binary files /dev/null and b/tests/smtp-rset/input.pcap differ
diff --git a/tests/smtp-rset/test.rules b/tests/smtp-rset/test.rules
new file mode 100644
index 000000000..72df1994c
--- /dev/null
+++ b/tests/smtp-rset/test.rules
@@ -0,0 +1 @@
+alert smtp any any -> any any (msg:"SURICATA SMTP BDAT Chunk len exceeded"; flow:established,to_server; app-layer-event:smtp.bdat_chunk_len_exceeded; classtype:protocol-command-decode; sid:1; rev:1;)
diff --git a/tests/smtp-rset/test.yaml b/tests/smtp-rset/test.yaml
new file mode 100644
index 000000000..19381fc43
--- /dev/null
+++ b/tests/smtp-rset/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+# disables checksum verification
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1