From: Modupe Falodun Date: Wed, 2 Feb 2022 15:02:11 +0000 (+0100) Subject: detect-file-data: add tests for SMTP file data X-Git-Tag: suricata-6.0.5~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F753%2Fhead;p=thirdparty%2Fsuricata-verify.git detect-file-data: add tests for SMTP file data Task: 4938 --- diff --git a/tests/smtp-file-data-01/README.md b/tests/smtp-file-data-01/README.md new file mode 100644 index 000000000..b6b28001e --- /dev/null +++ b/tests/smtp-file-data-01/README.md @@ -0,0 +1,7 @@ +# Description + +Test file_data keyword against smtp + +# PCAP + +The pcap comes from https://github.com/cisco-system-traffic-generator/trex-profiles/blob/master/Mellanox/Traffic_Mix_v1/pcaps_for_application_mix_v1/SMTP_IXIA_98P_253B.pcap diff --git a/tests/smtp-file-data-01/input.pcap b/tests/smtp-file-data-01/input.pcap new file mode 100644 index 000000000..b3c8f5372 Binary files /dev/null and b/tests/smtp-file-data-01/input.pcap differ diff --git a/tests/smtp-file-data-01/test.rules b/tests/smtp-file-data-01/test.rules new file mode 100644 index 000000000..b30aba0a2 --- /dev/null +++ b/tests/smtp-file-data-01/test.rules @@ -0,0 +1 @@ +alert smtp any any -> any any (msg:"file_data smtp test"; file_data; content:"if was"; sid:1;) diff --git a/tests/smtp-file-data-01/test.yaml b/tests/smtp-file-data-01/test.yaml new file mode 100644 index 000000000..041de7dbb --- /dev/null +++ b/tests/smtp-file-data-01/test.yaml @@ -0,0 +1,74 @@ +requires: + min-version: 6 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 1.2.190.250 + dest_port: 25 + email.attachment[0]: J.txt + email.from: + email.status: PARSE_DONE + email.to[0]: + event_type: smtp + pcap_cnt: 89 + proto: TCP + smtp.helo: client-1016363.example.int + smtp.mail_from: + smtp.rcpt_to[0]: + src_ip: 1.1.205.22 + src_port: 4053 + tx_id: 0 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: file_data smtp test + alert.signature_id: 1 + app_proto: smtp + app_proto_tc: failed + dest_ip: 1.2.190.250 + dest_port: 25 + email.attachment[0]: J.txt + email.from: + email.status: PARSE_DONE + email.to[0]: + event_type: alert + files[0].filename: J.txt + files[0].gaps: false + files[0].size: 16386 + files[0].state: CLOSED + files[0].stored: false + files[0].tx_id: 0 + flow.bytes_toclient: 2928 + flow.bytes_toserver: 21322 + flow.pkts_toclient: 34 + flow.pkts_toserver: 57 + pcap_cnt: 91 + proto: TCP + smtp.helo: client-1016363.example.int + smtp.mail_from: + smtp.rcpt_to[0]: + src_ip: 1.1.205.22 + src_port: 4053 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 1.2.190.250 + dest_port: 25 + event_type: smtp + pcap_cnt: 98 + proto: TCP + smtp.helo: client-1016363.example.int + src_ip: 1.1.205.22 + src_port: 4053 + tx_id: 1 diff --git a/tests/smtp-file-data-02/README.md b/tests/smtp-file-data-02/README.md new file mode 100644 index 000000000..8eff2698a --- /dev/null +++ b/tests/smtp-file-data-02/README.md @@ -0,0 +1,7 @@ +# Description + +Test file_data keyword against smtp for fragmented data + +# PCAP + +The pcap comes from https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/smtp.pcap diff --git a/tests/smtp-file-data-02/input.pcap b/tests/smtp-file-data-02/input.pcap new file mode 100644 index 000000000..931b43b3b Binary files /dev/null and b/tests/smtp-file-data-02/input.pcap differ diff --git a/tests/smtp-file-data-02/test.rules b/tests/smtp-file-data-02/test.rules new file mode 100644 index 000000000..74276d9f1 --- /dev/null +++ b/tests/smtp-file-data-02/test.rules @@ -0,0 +1 @@ +alert smtp any any -> any any (msg:"file_data smtp test"; file_data; content:"Added"; sid:1;) diff --git a/tests/smtp-file-data-02/test.yaml b/tests/smtp-file-data-02/test.yaml new file mode 100644 index 000000000..b031709c0 --- /dev/null +++ b/tests/smtp-file-data-02/test.yaml @@ -0,0 +1,74 @@ +requires: + min-version: 6 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 74.53.140.153 + dest_port: 25 + email.attachment[0]: NEWS.txt + email.from: '"Gurpartap Singh" ' + email.status: PARSE_DONE + email.to[0]: + event_type: smtp + pcap_cnt: 51 + proto: TCP + smtp.helo: GP + smtp.mail_from: + smtp.rcpt_to[0]: + src_ip: 10.10.1.4 + src_port: 1470 + tx_id: 0 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: file_data smtp test + alert.signature_id: 1 + app_proto: smtp + app_proto_tc: failed + dest_ip: 74.53.140.153 + dest_port: 25 + email.attachment[0]: NEWS.txt + email.from: '"Gurpartap Singh" ' + email.status: PARSE_DONE + email.to[0]: + event_type: alert + files[0].filename: NEWS.txt + files[0].gaps: false + files[0].size: 10735 + files[0].state: CLOSED + files[0].stored: false + files[0].tx_id: 0 + flow.bytes_toclient: 4118 + flow.bytes_toserver: 21897 + flow.pkts_toclient: 26 + flow.pkts_toserver: 25 + pcap_cnt: 53 + proto: TCP + smtp.helo: GP + smtp.mail_from: + smtp.rcpt_to[0]: + src_ip: 10.10.1.4 + src_port: 1470 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 74.53.140.153 + dest_port: 25 + event_type: smtp + pcap_cnt: 58 + proto: TCP + smtp.helo: GP + src_ip: 10.10.1.4 + src_port: 1470 + tx_id: 1