From: Shivani Bhardwaj <shivani@oisf.net>
Date: Tue, 9 Aug 2022 05:14:35 +0000 (+0530)
Subject: add test for broken smtp url logging
X-Git-Tag: suricata-6.0.8~31
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7a82af2f31b66b2446ec2dfc001a4dcefc674839;p=thirdparty%2Fsuricata-verify.git

add test for broken smtp url logging
---

diff --git a/tests/smtp-url-schemes-bug-5174/README.md b/tests/smtp-url-schemes-bug-5174/README.md
new file mode 100644
index 000000000..121d7e26e
--- /dev/null
+++ b/tests/smtp-url-schemes-bug-5174/README.md
@@ -0,0 +1,17 @@
+Description
+-----------
+Since the feature for extracting MIME urls (ref: [Feature #2054](https://redmine.openinfosecfoundation.org/issues/2054))
+was introduced, the logging of urls in case the `suricata.yaml` configuration was not updated
+has been broken (ref: [Bug #5174](https://redmine.openinfosecfoundation.org/issues/5174)).
+The issue happens when both the `extract-urls-schemes` and `log-url-scheme` settings are
+missing from `suricata.yaml`.
+The behavior in such a case should be fallback to the defaults i.e. only extract the urls
+that begin with the `http` scheme.
+
+PCAP
+----
+PCAP comes from the existing test [smtp-extract-url-schemes](https://github.com/OISF/suricata-verify/blob/master/tests/smtp-extract-url-schemes).
+
+Reported and fixed by
+---------------------
+Eric Leblond <el@stamus-networks.com>
diff --git a/tests/smtp-url-schemes-bug-5174/input.pcap b/tests/smtp-url-schemes-bug-5174/input.pcap
new file mode 100644
index 000000000..bc1daa891
Binary files /dev/null and b/tests/smtp-url-schemes-bug-5174/input.pcap differ
diff --git a/tests/smtp-url-schemes-bug-5174/suricata.yaml b/tests/smtp-url-schemes-bug-5174/suricata.yaml
new file mode 100644
index 000000000..c8b6678a5
--- /dev/null
+++ b/tests/smtp-url-schemes-bug-5174/suricata.yaml
@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - smtp
+
+app-layer:
+  protocols:
+    smtp:
+      enabled: yes
+      mime:
+        decode-mime: yes
+        decode-base64: yes
+        extract-urls: yes
+#        extract-urls-schemes: [http, https, ftp, mailto]
+#        log-url-scheme: yes
diff --git a/tests/smtp-url-schemes-bug-5174/test.yaml b/tests/smtp-url-schemes-bug-5174/test.yaml
new file mode 100644
index 000000000..b9e4b314e
--- /dev/null
+++ b/tests/smtp-url-schemes-bug-5174/test.yaml
@@ -0,0 +1,7 @@
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: smtp
+        email.url[0]: "test-site.org/blah/123/"
+        email.url[1]: "google.com"