From: Philippe Antoine <pantoine@oisf.net>
Date: Fri, 24 Jan 2025 12:58:10 +0000 (+0100)
Subject: detect/smtp: smtp.rcpt_to keyword
X-Git-Tag: suricata-7.0.9~70
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=756cbc4cc2effc3588483e421039f658ccaeb9a3;p=thirdparty%2Fsuricata-verify.git

detect/smtp: smtp.rcpt_to keyword

Ticket: 7516
---

diff --git a/tests/smtp-keywords/README.md b/tests/smtp-keywords/README.md
index 048579afc..ce9cf3de0 100644
--- a/tests/smtp-keywords/README.md
+++ b/tests/smtp-keywords/README.md
@@ -5,6 +5,7 @@ Test smtp keywords
 # Ticket
 
 https://redmine.openinfosecfoundation.org/attachments/7515
+https://redmine.openinfosecfoundation.org/attachments/7516
 https://redmine.openinfosecfoundation.org/attachments/7517
 
 # PCAP
diff --git a/tests/smtp-keywords/test.rules b/tests/smtp-keywords/test.rules
index c2614aff5..eb3973cae 100644
--- a/tests/smtp-keywords/test.rules
+++ b/tests/smtp-keywords/test.rules
@@ -1,7 +1,8 @@
 alert smtp any any -> any any (msg:"SMTP helo GP"; smtp.helo; content:"GP"; sid:1; rev:1;)
 alert smtp any any -> any any (msg:"SMTP mail_from"; smtp.mail_from; content:"<gurpartap@patriots.in>"; sid:2; rev:1;)
-
+alert smtp any any -> any any (msg:"SMTP rcpt_to"; smtp.rcpt_to; content:"<raj_deol2002in@yahoo.co.in>"; sid:3; rev:1;)
 
 # signatures not matching
 alert smtp any any -> any any (msg:"SMTP helo not triggering"; smtp.helo; content:"not there"; sid:10; rev:1;)
 alert smtp any any -> any any (msg:"SMTP not mail_from"; smtp.mail_from; content:"spammer"; sid:12; rev:1;)
+alert smtp any any -> any any (msg:"SMTP no rcpt_to"; smtp.rcpt_to; content:"<gurpartap@patriots.in>"; sid:13; rev:1;)
diff --git a/tests/smtp-keywords/test.yaml b/tests/smtp-keywords/test.yaml
index d0c25aa97..e4226da4b 100644
--- a/tests/smtp-keywords/test.yaml
+++ b/tests/smtp-keywords/test.yaml
@@ -26,4 +26,15 @@ checks:
     count: 0
     match:
       event_type: alert
-      alert.signature_id: 12
\ No newline at end of file
+      alert.signature_id: 12
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      smtp.rcpt_to[0]: "<raj_deol2002in@yahoo.co.in>"
+      alert.signature_id: 3
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 13
\ No newline at end of file