From: Philippe Antoine Date: Thu, 23 May 2024 12:50:07 +0000 (+0200) Subject: smtp: extend test with smtp extended logging X-Git-Tag: suricata-6.0.20~22 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7f823a25ac392356bea3ba32e844d4e440d133a1;p=thirdparty%2Fsuricata-verify.git smtp: extend test with smtp extended logging with custom fields, to cover more suricata code --- diff --git a/tests/smtp-data-rejected/suricata.yaml b/tests/smtp-data-rejected/suricata.yaml index fd1c840be..ca022ca8d 100644 --- a/tests/smtp-data-rejected/suricata.yaml +++ b/tests/smtp-data-rejected/suricata.yaml @@ -1,9 +1,64 @@ %YAML 1.1 --- +stats: + enabled: yes + interval: 8 + outputs: - eve-log: enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json types: - files: force-hash: [sha256] + - smtp: + extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + md5: [body, subject] + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + + +app-layer: + protocols: + smtp: + enabled: yes + raw-extraction: no + # Configure SMTP-MIME Decoder + mime: + # Decode MIME messages from SMTP transactions + # (may be resource intensive) + # This field supersedes all others because it turns the entire + # process on or off + decode-mime: yes + + # Decode MIME entity bodies (ie. Base64, quoted-printable, etc.) + decode-base64: yes + decode-quoted-printable: yes + + # Maximum bytes per header data value stored in the data structure + # (default is 2000) + header-value-depth: 2000 + + # Extract URLs and save in state data structure + extract-urls: yes + # Set to yes to compute the md5 of the mail body. You will then + # be able to journalize it. + body-md5: yes + # Configure inspected-tracker for file_data keyword + inspected-tracker: + content-limit: 100000 + content-inspect-min-size: 32768 + content-inspect-window: 4096 diff --git a/tests/smtp-data-rejected/test.yaml b/tests/smtp-data-rejected/test.yaml index f6260018e..6099d25ab 100644 --- a/tests/smtp-data-rejected/test.yaml +++ b/tests/smtp-data-rejected/test.yaml @@ -11,3 +11,8 @@ checks: match: event_type: fileinfo fileinfo.sha256: 2f4e7dba21a31bde1192ca03b489a9bd47281a28e206b3dcf245082a491e8e0a + - filter: + count: 1 + match: + event_type: smtp + email.received[0]: "from [65.201.218.30] (helo=COZOXORY.club)by 173-66-46-112.wash.fios.verizon.net with esmtpa (Exim 4.86)(envelope-from )id 71cF63a9for mirjam@abrakadabra.ch; Mon, 29 Jul 2019 17:01:45 +0000"