From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 6 Jun 2024 11:38:56 +0000 (+0200)
Subject: smtp: adds test for invalid replies
X-Git-Tag: suricata-7.0.7~38
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ce368c015b63efca3673921ee17eba1b5b5f2025;p=thirdparty%2Fsuricata-verify.git

smtp: adds test for invalid replies

Ticket: 1125
---

diff --git a/tests/smtp-errors/README.md b/tests/smtp-errors/README.md
new file mode 100644
index 000000000..ba710d16e
--- /dev/null
+++ b/tests/smtp-errors/README.md
@@ -0,0 +1,13 @@
+# Test Description
+
+Test some SMTP parser errors on unknown reply codes
+
+## PCAP
+
+extract from QA TLPW1
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/1125
+https://redmine.openinfosecfoundation.org/issues/5491
+https://redmine.openinfosecfoundation.org/issues/6821
diff --git a/tests/smtp-errors/smtperr.pcap b/tests/smtp-errors/smtperr.pcap
new file mode 100644
index 000000000..b8c3422cd
Binary files /dev/null and b/tests/smtp-errors/smtperr.pcap differ
diff --git a/tests/smtp-errors/test.yaml b/tests/smtp-errors/test.yaml
new file mode 100644
index 000000000..e03549ccb
--- /dev/null
+++ b/tests/smtp-errors/test.yaml
@@ -0,0 +1,43 @@
+requires:
+  min-version: 8
+
+# disables checksum verification
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: anomaly
+        anomaly.event: INVALID_REPLY
+        # 472 unusualz@prg-dc.dhl.com DNS A-record is empty
+        src_port: 49740
+  - filter:
+      count: 1
+      match:
+        event_type: anomaly
+        anomaly.event: INVALID_REPLY
+        # 500 5.5.1 Command unrecognized: + junk on new line
+        src_port: 49274
+  - filter:
+      count: 3
+      match:
+        event_type: anomaly
+        anomaly.event: INVALID_REPLY
+        #no anomaly for 4.7.0 [IPTS04] Messages from 173.166.146.112 temporarily deferred due to user complaints because tx got closed before
+        #src_port: 49448
+  - filter:
+      count: 1
+      match:
+        event_type: anomaly
+        anomaly.event: INVALID_REPLY
+        # client does tls hello, smtp server replies with
+        #400 4.5.2 Error: bad syntax
+        src_port: 50649
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        # no anomaly but error for 4.7.0
+        stats.app_layer.error.smtp.parser: 4