From: Jason Ish <jason.ish@oisf.net>
Date: Wed, 23 Dec 2020 22:56:20 +0000 (-0600)
Subject: smtp-md5: test md5 logging of smtp subject and body
X-Git-Tag: suricata-6.0.4~199
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=97bba40b363b1e7f70da84388696f8acd06df6f5;p=thirdparty%2Fsuricata-verify.git

smtp-md5: test md5 logging of smtp subject and body
---

diff --git a/tests/smtp-md5/input.pcap b/tests/smtp-md5/input.pcap
new file mode 100644
index 000000000..931b43b3b
Binary files /dev/null and b/tests/smtp-md5/input.pcap differ
diff --git a/tests/smtp-md5/suricata.yaml b/tests/smtp-md5/suricata.yaml
new file mode 100644
index 000000000..e5bf51a54
--- /dev/null
+++ b/tests/smtp-md5/suricata.yaml
@@ -0,0 +1,62 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - smtp:
+            extended: yes # enable this for extended logging information
+            # this includes: bcc, message-id, subject, x_mailer, user-agent
+            # custom fields logging from the list:
+            #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
+            #  x-originating-ip, in-reply-to, references, importance, priority,
+            #  sensitivity, organization, content-md5, date
+            #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
+            # output md5 of fields: body, subject
+            # for the body you need to set app-layer.protocols.smtp.mime.body-md5
+            # to yes
+            md5: [body, subject]
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
+
+
+app-layer:
+  protocols:
+    smtp:
+      enabled: yes
+      raw-extraction: no
+      # Configure SMTP-MIME Decoder
+      mime:
+        # Decode MIME messages from SMTP transactions
+        # (may be resource intensive)
+        # This field supersedes all others because it turns the entire
+        # process on or off
+        decode-mime: yes
+
+        # Decode MIME entity bodies (ie. Base64, quoted-printable, etc.)
+        decode-base64: yes
+        decode-quoted-printable: yes
+
+        # Maximum bytes per header data value stored in the data structure
+        # (default is 2000)
+        header-value-depth: 2000
+
+        # Extract URLs and save in state data structure
+        extract-urls: yes
+        # Set to yes to compute the md5 of the mail body. You will then
+        # be able to journalize it.
+        body-md5: yes
+      # Configure inspected-tracker for file_data keyword
+      inspected-tracker:
+        content-limit: 100000
+        content-inspect-min-size: 32768
+        content-inspect-window: 4096
diff --git a/tests/smtp-md5/test.yaml b/tests/smtp-md5/test.yaml
new file mode 100644
index 000000000..f89cc7843
--- /dev/null
+++ b/tests/smtp-md5/test.yaml
@@ -0,0 +1,24 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - HAVE_NSS
+
+checks:
+
+  # Check that there is only one SMTP event with specific parameters.
+  - filter:
+      count: 1
+      match:
+        event_type: smtp
+        smtp.mail_from: <gurpartap@patriots.in>
+        smtp.rcpt_to[0]: <raj_deol2002in@yahoo.co.in>
+        email.subject_md5: "c2239a92bde29f0a9f9173193cc2fe00"
+        email.body_md5: "199a623779019799f24fcf61204c55a8"
+
+        
+  # Check the stats. A stats check is a specialization of a filter
+  # that only checks the last stats entry.
+  - stats:
+      decoder.pkts: 60
+      decoder.bytes: 26866
+      decoder.invalid: 0