From: Alice Akaki <akakialice@gmail.com>
Date: Sat, 29 Mar 2025 00:28:58 +0000 (-0400)
Subject: detect: add test for email.message_id keyword
X-Git-Tag: suricata-7.0.11~119
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=856255f0bb4db61ebeea025c94e110034dd560b3;p=thirdparty%2Fsuricata-verify.git

detect: add test for email.message_id keyword

Ticket: #7593
---

diff --git a/tests/detect-email-msg-id/README.md b/tests/detect-email-msg-id/README.md
new file mode 100644
index 000000000..18b594f46
--- /dev/null
+++ b/tests/detect-email-msg-id/README.md
@@ -0,0 +1,8 @@
+# Test Description
+Test mime email.message_id keyword
+
+## PCAP
+From ../bug-1045/smtpsuricataflowbitsFN.pcap
+
+## Redmine Ticket
+https://redmine.openinfosecfoundation.org/issues/7593
diff --git a/tests/detect-email-msg-id/suricata.yaml b/tests/detect-email-msg-id/suricata.yaml
new file mode 100644
index 000000000..dd30f62c1
--- /dev/null
+++ b/tests/detect-email-msg-id/suricata.yaml
@@ -0,0 +1,29 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filename: eve.json
+      types:
+        - alert:
+            tagged-packets: yes
+        - smtp:
+            custom: [message-id]    # for 'message-id' logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
+        - stats
+        - flow
+  - stats:
+       enabled: yes
+       filename: stats.log
+       append: yes
+
+action-order:
+  - pass
+  - drop
+  - reject
+  - alert
+
+exception-policy: ignore
diff --git a/tests/detect-email-msg-id/test.rules b/tests/detect-email-msg-id/test.rules
new file mode 100644
index 000000000..23bfd229c
--- /dev/null
+++ b/tests/detect-email-msg-id/test.rules
@@ -0,0 +1 @@
+alert smtp any any -> any any (msg:"Test mime email message id"; email.message_id; content:"<alpine.DEB.2.00.1311261630120.9535@sd-26634.dedibox.fr>"; startswith; endswith; bsize:56; sid:1;)
\ No newline at end of file
diff --git a/tests/detect-email-msg-id/test.yaml b/tests/detect-email-msg-id/test.yaml
new file mode 100644
index 000000000..4ec1f5a4c
--- /dev/null
+++ b/tests/detect-email-msg-id/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 8
+
+pcap: ../bug-1045/smtpsuricataflowbitsFN.pcap
+
+args:
+  - -k none --set stream.inline=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 13
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: smtp
+      email.message_id: <alpine.DEB.2.00.1311261630120.9535@sd-26634.dedibox.fr>
+      pcap_cnt: 13