From: Philippe Antoine Date: Tue, 4 Jun 2024 12:41:58 +0000 (+0200) Subject: smtp/mime: adds test for url extraction in base64 message X-Git-Tag: suricata-6.0.20~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1900%2Fhead;p=thirdparty%2Fsuricata-verify.git smtp/mime: adds test for url extraction in base64 message Ticket: 5185 --- diff --git a/tests/smtp-url-base64/README.md b/tests/smtp-url-base64/README.md new file mode 100644 index 000000000..b24b59b04 --- /dev/null +++ b/tests/smtp-url-base64/README.md @@ -0,0 +1,12 @@ +# Test Description + +This test finds URLs in SMTP base64 message body + +## PCAP + +PCAP comes from https://redmine.openinfosecfoundation.org/issues/5185 +With the script `smtptxtpcap.py` to put the stream into a pcap (adding some dummy beginning and end of communication) + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/5185 diff --git a/tests/smtp-url-base64/smtp-url-b64.pcap b/tests/smtp-url-base64/smtp-url-b64.pcap new file mode 100644 index 000000000..4ce6b3862 Binary files /dev/null and b/tests/smtp-url-base64/smtp-url-b64.pcap differ diff --git a/tests/smtp-url-base64/smtptxtpcap.py b/tests/smtp-url-base64/smtptxtpcap.py new file mode 100644 index 000000000..4c8f0bcad --- /dev/null +++ b/tests/smtp-url-base64/smtptxtpcap.py @@ -0,0 +1,77 @@ +import sys +import binascii +from threading import Thread +import time +import socket + +# Create a pcap from a htp test file +# Launches a server on port 8001 +# Launches a client in another thread that connects to it +# Both client and server read the htp test file +# And they send and receive data as described (without analysing it) +# So, you need to capture traffic on port 8001 while running the script + +class ServerThread(Thread): + + def __init__(self, filename): + Thread.__init__(self) + self.filename = filename + + def run(self): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind(("127.0.0.1", 2525)) + s.listen(1) + conn, addr = s.accept() + f = open(self.filename) + state = 0 + sending = "" + receiving = "" + + for l in f.readlines(): + if len(l) > 4 and l[3] == ' ' and l[:3].isdigit(): + conn.send(bytes(l, "ascii")) + print("server sent", len(l)) + else: + data = conn.recv(len(l)) + print("server recvd", len(data)) + + conn.close() + s.close() + f.close() + + +class ClientThread(Thread): + + def __init__(self, filename): + Thread.__init__(self) + self.filename = filename + + def run(self): + time.sleep(1) + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect(("127.0.0.1", 2525)) + f = open(self.filename) + state = 0 + sending = "" + receiving = "" + + for l in f.readlines(): + if len(l) > 4 and l[3] == ' ' and l[:3].isdigit(): + data = s.recv(len(l)) + print("client recvd", len(data)) + else: + s.send(bytes(l, "ascii")) + print("client sent", len(l)) + s.close() + f.close() + +t1 = ServerThread(sys.argv[1]) +t2 = ClientThread(sys.argv[1]) + +# Launch threads +t1.start() +t2.start() + +# Wait for threads to finish +t1.join() +t2.join() diff --git a/tests/smtp-url-base64/suricata.yaml b/tests/smtp-url-base64/suricata.yaml new file mode 100644 index 000000000..19e25ecc9 --- /dev/null +++ b/tests/smtp-url-base64/suricata.yaml @@ -0,0 +1,20 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + types: + - smtp + +app-layer: + protocols: + smtp: + enabled: yes + mime: + decode-mime: yes + decode-base64: yes + extract-urls: yes + extract-urls-schemes: [http, https, ftp, mailto] + log-url-scheme: yes diff --git a/tests/smtp-url-base64/test.yaml b/tests/smtp-url-base64/test.yaml new file mode 100644 index 000000000..f2134c12f --- /dev/null +++ b/tests/smtp-url-base64/test.yaml @@ -0,0 +1,12 @@ +requires: + min-version: 8 + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: smtp + email.url[0]: "http://codashop-free01.duckdns.org/"