From: Shivani Bhardwaj Date: Wed, 8 Feb 2023 11:32:29 +0000 (+0530) Subject: tests: add test for smtp LF post line limit X-Git-Tag: suricata-6.0.16~45 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8d58cc3c3a89f41682807f9a270035d08896cd32;p=thirdparty%2Fsuricata-verify.git tests: add test for smtp LF post line limit --- diff --git a/tests/smtp-long-command/README.md b/tests/smtp-long-command/README.md new file mode 100644 index 000000000..2bf3a8082 --- /dev/null +++ b/tests/smtp-long-command/README.md @@ -0,0 +1,12 @@ +Description +=========== +This test demonstrates that an SMTP line with LF occuring post the hard set line +limit should also raise an anomaly event for TRUNCATED_LINE. + +Redmine ticket +============== +https://redmine.openinfosecfoundation.org/issues/5819 + +PCAP +==== +Locally generated diff --git a/tests/smtp-long-command/input.pcap b/tests/smtp-long-command/input.pcap new file mode 100644 index 000000000..5b35500d5 Binary files /dev/null and b/tests/smtp-long-command/input.pcap differ diff --git a/tests/smtp-long-command/test.yaml b/tests/smtp-long-command/test.yaml new file mode 100644 index 000000000..347b999c9 --- /dev/null +++ b/tests/smtp-long-command/test.yaml @@ -0,0 +1,22 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 83.215.238.27 + dest_port: 25 + event_type: smtp + pcap_cnt: 73 + pkt_src: wire/pcap + proto: TCP + smtp.helo: OBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAH + src_ip: 192.168.164.35 + src_port: 59096 + tx_id: 0 + count: 1 + match: + event_type: anomaly + anomaly.app_proto: smtp + anomaly.event: TRUNCATED_LINE