From: Thomas Winter <Thomas.Winter@alliedtelesis.co.nz>
Date: Mon, 15 May 2023 00:03:08 +0000 (+1200)
Subject: smtp: Add test to match on attachment with md5
X-Git-Tag: suricata-7.0.0~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=60b08faaac918e026dde5587695f73d6a1755cc4;p=thirdparty%2Fsuricata-verify.git

smtp: Add test to match on attachment with md5

Based on the filemd5 test but using smtp attachment instead.
The SMTP transaction contains the EICAR file as an attachment and
the expected md5 to match used is the standard md5 for the EICAR.
---

diff --git a/tests/smtp-attachment-md5/input.pcap b/tests/smtp-attachment-md5/input.pcap
new file mode 100644
index 000000000..16375cfa3
Binary files /dev/null and b/tests/smtp-attachment-md5/input.pcap differ
diff --git a/tests/smtp-attachment-md5/target.md5 b/tests/smtp-attachment-md5/target.md5
new file mode 100644
index 000000000..b22bda53d
--- /dev/null
+++ b/tests/smtp-attachment-md5/target.md5
@@ -0,0 +1 @@
+44d88612fea8a8f36de82e1278abb02f
diff --git a/tests/smtp-attachment-md5/test.rules b/tests/smtp-attachment-md5/test.rules
new file mode 100644
index 000000000..8497e73a9
--- /dev/null
+++ b/tests/smtp-attachment-md5/test.rules
@@ -0,0 +1 @@
+alert smtp any any -> any any (msg:"test"; filemd5: target.md5; classtype: bad-unknown; sid:1530024;)
diff --git a/tests/smtp-attachment-md5/test.yaml b/tests/smtp-attachment-md5/test.yaml
new file mode 100644
index 000000000..3c17b1b58
--- /dev/null
+++ b/tests/smtp-attachment-md5/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  features:
+    - HAVE_NSS
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert