From: Shivani Bhardwaj Date: Fri, 21 Apr 2023 11:21:53 +0000 (+0530) Subject: smtp: add test for long DATA line X-Git-Tag: suricata-6.0.13~38 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1199%2Fhead;p=thirdparty%2Fsuricata-verify.git smtp: add test for long DATA line --- diff --git a/tests/smtp-long-DATA-line/README.md b/tests/smtp-long-DATA-line/README.md new file mode 100644 index 000000000..4d4bd09e6 --- /dev/null +++ b/tests/smtp-long-DATA-line/README.md @@ -0,0 +1,12 @@ +# Test Description + +This test shows how we handle long DATA lines for SMTP. + +## PCAP + +PCAP comes from ttps://osqa-ask.wireshark.org/questions/33094/extract-an-attachment-email-smtp-cap +and has been modified to have a really long DATA line (6512 Bytes). + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/5981 diff --git a/tests/smtp-long-DATA-line/input.pcap b/tests/smtp-long-DATA-line/input.pcap new file mode 100644 index 000000000..56077e1a6 Binary files /dev/null and b/tests/smtp-long-DATA-line/input.pcap differ diff --git a/tests/smtp-long-DATA-line/suricata.yaml b/tests/smtp-long-DATA-line/suricata.yaml new file mode 100644 index 000000000..30418c57b --- /dev/null +++ b/tests/smtp-long-DATA-line/suricata.yaml @@ -0,0 +1,23 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - files + - smtp + - anomaly + - file-store: + version: 2 + enabled: yes + force-filestore: yes +app-layer: + protocols: + smtp: + enabled: yes + raw-extraction: no + mime: + decode-mime: yes + decode-base64: yes + decode-quoted-printable: yes diff --git a/tests/smtp-long-DATA-line/test.yaml b/tests/smtp-long-DATA-line/test.yaml new file mode 100644 index 000000000..ca9581499 --- /dev/null +++ b/tests/smtp-long-DATA-line/test.yaml @@ -0,0 +1,102 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 192.168.1.4 + dest_port: 3326 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 217.12.11.66 + src_port: 587 +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: MIME_LONG_LINE + anomaly.layer: proto_parser + anomaly.type: applayer + dest_ip: 192.168.1.4 + dest_port: 3326 + event_type: anomaly + pcap_cnt: 40 + proto: TCP + src_ip: 217.12.11.66 + src_port: 587 + tx_id: 0 +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: MIME_LONG_ENC_LINE + anomaly.layer: proto_parser + anomaly.type: applayer + dest_ip: 192.168.1.4 + dest_port: 3326 + event_type: anomaly + pcap_cnt: 40 + proto: TCP + src_ip: 217.12.11.66 + src_port: 587 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 217.12.11.66 + dest_port: 587 + email.attachment[0]: winmail.dat + email.from: '"Xxxxxx xxxx" ' + email.status: PARSE_DONE + email.to[0]: + event_type: smtp + pcap_cnt: 40 + proto: TCP + smtp.helo: Percival + smtp.mail_from: + smtp.rcpt_to[0]: + src_ip: 192.168.1.4 + src_port: 3326 + tx_id: 0 +- filter: + count: 1 + match: + app_proto: smtp + dest_ip: 217.12.11.66 + dest_port: 587 + email.attachment[0]: winmail.dat + email.from: '"Xxxxxx xxxx" ' + email.status: PARSE_DONE + email.to[0]: + event_type: fileinfo + fileinfo.filename: winmail.dat + fileinfo.gaps: false + fileinfo.size: 10383 + fileinfo.state: CLOSED + fileinfo.stored: true + fileinfo.sha256: "81d7ff46d57b5e79df686a72c160225d644e43c47c219f6bbdc5a6699df702d5" + fileinfo.tx_id: 0 + pcap_cnt: 42 + proto: TCP + smtp.helo: Percival + smtp.mail_from: + smtp.rcpt_to[0]: + src_ip: 192.168.1.4 + src_port: 3326 +- filter: + count: 1 + match: + dest_ip: 217.12.11.66 + dest_port: 587 + event_type: smtp + proto: TCP + smtp.helo: Percival + src_ip: 192.168.1.4 + src_port: 3326 + tx_id: 1