From: Philippe Antoine <pantoine@oisf.net>
Date: Fri, 24 Jan 2025 12:23:49 +0000 (+0100)
Subject: detect/smtp: smtp.helo keyword
X-Git-Tag: suricata-7.0.9~72
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b34e8d4c651eaa847c1305c92f641787a42b9b7e;p=thirdparty%2Fsuricata-verify.git

detect/smtp: smtp.helo keyword

Ticket: 7515
---

diff --git a/tests/smtp-keywords/README.md b/tests/smtp-keywords/README.md
new file mode 100644
index 000000000..c04054857
--- /dev/null
+++ b/tests/smtp-keywords/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test smtp keywords
+
+# Ticket
+
+https://redmine.openinfosecfoundation.org/attachments/7515
+
+# PCAP
+
+reused from bug-3616-smtp
diff --git a/tests/smtp-keywords/test.rules b/tests/smtp-keywords/test.rules
new file mode 100644
index 000000000..e8f34c72f
--- /dev/null
+++ b/tests/smtp-keywords/test.rules
@@ -0,0 +1,4 @@
+alert smtp any any -> any any (msg:"SMTP helo GP"; smtp.helo; content:"GP"; sid:1; rev:1;)
+
+# signatures not matching
+alert smtp any any -> any any (msg:"SMTP helo not triggering"; smtp.helo; content:"not there"; sid:10; rev:1;)
diff --git a/tests/smtp-keywords/test.yaml b/tests/smtp-keywords/test.yaml
new file mode 100644
index 000000000..6b8f28471
--- /dev/null
+++ b/tests/smtp-keywords/test.yaml
@@ -0,0 +1,18 @@
+pcap: ../bug-3616-smtp/input.pcap
+
+requires:
+  min-version: 8.0.0
+
+checks:
+- filter:
+    # 2 transactions, 2 alerts
+    count: 2
+    match:
+      event_type: alert
+      smtp.helo: GP
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 10
\ No newline at end of file