From: Maurizio Abba Date: Fri, 15 Feb 2019 17:51:46 +0000 (+0000) Subject: smtp: add raw extraction test X-Git-Tag: suricata-6.0.4~475 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=deb6db412d7f37ce8bc5e5b389e1d89a0d23befa;p=thirdparty%2Fsuricata-verify.git smtp: add raw extraction test --- diff --git a/tests/smtp-raw-extraction/README.md b/tests/smtp-raw-extraction/README.md new file mode 100644 index 000000000..d2629873f --- /dev/null +++ b/tests/smtp-raw-extraction/README.md @@ -0,0 +1,11 @@ +# SMTP raw extraction + +This test verifies that the flag app-layers.protocols.smtp.raw-extraction set to +True will make suricata dump e-mails in raw form, including headers and e-mail +content. + +The pcap file is downloaded from + +``` +https://osqa-ask.wireshark.org/questions/33094/extract-an-attachment-email-smtp-cap +``` diff --git a/tests/smtp-raw-extraction/input.pcap b/tests/smtp-raw-extraction/input.pcap new file mode 100644 index 000000000..08adcec79 Binary files /dev/null and b/tests/smtp-raw-extraction/input.pcap differ diff --git a/tests/smtp-raw-extraction/suricata.yaml b/tests/smtp-raw-extraction/suricata.yaml new file mode 100644 index 000000000..f43ae8339 --- /dev/null +++ b/tests/smtp-raw-extraction/suricata.yaml @@ -0,0 +1,52 @@ +%YAML 1.1 +--- + +pcap-file: + checksum-checks: no + +# Configure the type of alert (and other) logging you would like. +outputs: + - file-store: + version: 2 + enabled: yes +## +## Step 5: App Layer Protocol Configuration +## + +# Configure the app-layer parsers. The protocols section details each +# protocol. +# +# The option "enabled" takes 3 values - "yes", "no", "detection-only". +# "yes" enables both detection and the parser, "no" disables both, and +# "detection-only" enables protocol detection only (parser disabled). +app-layer: + protocols: + smtp: + enabled: yes + raw-extraction: yes + # Configure SMTP-MIME Decoder + mime: + # Decode MIME messages from SMTP transactions + # (may be resource intensive) + # This field supercedes all others because it turns the entire + # process on or off + decode-mime: no + + # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) + decode-base64: yes + decode-quoted-printable: yes + + # Maximum bytes per header data value stored in the data structure + # (default is 2000) + header-value-depth: 2000 + + # Extract URLs and save in state data structure + extract-urls: no + # Set to yes to compute the md5 of the mail body. You will then + # be able to journalize it. + body-md5: no + # Configure inspected-tracker for file_data keyword + inspected-tracker: + content-limit: 100000 + content-inspect-min-size: 32768 + content-inspect-window: 4096 diff --git a/tests/smtp-raw-extraction/test.rules b/tests/smtp-raw-extraction/test.rules new file mode 100644 index 000000000..d02bda1ae --- /dev/null +++ b/tests/smtp-raw-extraction/test.rules @@ -0,0 +1 @@ +alert smtp any any -> any any (msg:"SMTP file"; flow:established, to_server; file_data; content:"Content-Type: multipart/"; nocase; filestore; sid:1; rev:1;) diff --git a/tests/smtp-raw-extraction/test.yaml b/tests/smtp-raw-extraction/test.yaml new file mode 100644 index 000000000..0d6a6556f --- /dev/null +++ b/tests/smtp-raw-extraction/test.yaml @@ -0,0 +1,11 @@ +requires: + min-version: 5.0.0 + features: + - HAVE_NSS + files: + - src/output-filestore.c + +checks: + + - shell: + args: test -e filestore/01/018e4f86e830d85dc21cb54ee6554f01ac0b2a73a24f83c64b6acb489e8f4f3d