From 02479e29fb5a78fd7d654cdf46ba90f3be44a0ce Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Tue, 11 Jul 2023 22:10:40 +0530 Subject: [PATCH] mime: add tests for bug 6207 --- tests/bug-6207-1/README.md | 12 +++++++ tests/bug-6207-1/input.pcap | Bin 0 -> 7567 bytes tests/bug-6207-1/invalid-base64-mime.syn | 42 +++++++++++++++++++++++ tests/bug-6207-1/test.yaml | 30 ++++++++++++++++ tests/bug-6207-2/README.md | 19 ++++++++++ tests/bug-6207-2/input.pcap | Bin 0 -> 6750 bytes tests/bug-6207-2/invalid-base64-mime.syn | 39 +++++++++++++++++++++ tests/bug-6207-2/suricata.rules | 1 + tests/bug-6207-2/suricata.yaml | 24 +++++++++++++ tests/bug-6207-2/test.yaml | 34 ++++++++++++++++++ 10 files changed, 201 insertions(+) create mode 100644 tests/bug-6207-1/README.md create mode 100644 tests/bug-6207-1/input.pcap create mode 100644 tests/bug-6207-1/invalid-base64-mime.syn create mode 100644 tests/bug-6207-1/test.yaml create mode 100644 tests/bug-6207-2/README.md create mode 100644 tests/bug-6207-2/input.pcap create mode 100644 tests/bug-6207-2/invalid-base64-mime.syn create mode 100644 tests/bug-6207-2/suricata.rules create mode 100644 tests/bug-6207-2/suricata.yaml create mode 100644 tests/bug-6207-2/test.yaml diff --git a/tests/bug-6207-1/README.md b/tests/bug-6207-1/README.md new file mode 100644 index 000000000..7d4972111 --- /dev/null +++ b/tests/bug-6207-1/README.md @@ -0,0 +1,12 @@ +# Test Description + +This test shows that base64 encoded MIME data with invalid characters should +ideally be accepted with all invalid characters skipped. + +## PCAP + +Manually created + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6207 diff --git a/tests/bug-6207-1/input.pcap b/tests/bug-6207-1/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..26fafb50f2bc24dd6a02b601f661842c00bc0c73 GIT binary patch literal 7567 zc-oDb30xCr{>BGLJU}hgTI+#~ib|z{+y@AnkN^P!fgD88(n)3lfm|dL15{mY-7U4d zUDRr+y0YF@v|8<<(kfO(t5mIsN=rSe^{Tbn+O=9O|96fsD<3xb=i?8Ocg82*=b3lj z_nntB2Y0RshgeYH)!hw2Vc@r8;WiXI$b!V+JyB;~Yx8&A`}F#Yb(iD=AQc3~6Q@n@ zhaU?AuW;}hz6%-&PK+c}wBay>_oq~TImDSP;i+i7`VYl*TZein>u0##SRa8Me0C}A>m3XxYCm>s1r02 z#a_TKY_T-I|I5#_R+1{mX_d)+ssK2{0+6MM%OTn9h?xj-a3s;9Rclqb>O6H`CiPjT zE>^)jE?>w6FRIB{m@$KTr_vYZ(WmL>qklQY#HE|Jy}f0Ivl9#jl7-Wv74NJMfV4! zikMdUtWOmH3M(!S zz8i&a9oF{c$+E)vL9+weP(DfcDn*!Zp2_a&geR%j*sa=ACw*@O&5lw5grmnY*@=3x zE9qp&u%?cp9~6)7o}ak1G-!7DKsS>lb5LZ>->{&m-~drG8+E1Mj(U{3LMe|VRT62H zLw%|MvbNK}lUy&Sh^~Fh5Jj$U%X&WT(3GZ27v}`ciWtKTBvBbfwCg(-R00}_+Mrwg zdYNY9>3D6Xj#SamDjWJ#0Yvgy5F`)@VU-hwQ3OX|zYQ;kr=}OCP0h_nOANfBfT4>F zaM#dfF#}tUlx?4QAvI`(2Jm%u5?Db2cLS9V!2zO%O#AG7=jgJRA1S|)k}B(HmHa+c z0Pwd5z`gG?S6~)A8777sGiI+uI7Ck@^&(DhsS|Nvd@i5I;R-lhDTgOX=1Y@B0uG}s6QCBvY!-=7L}EtGTmd4raKUF(fMR?R-zq}IGJ#NnAVM^; z*5;;S7gD^ zfA4A|RXnuH{9ZAf3dB%-7=qGWP8@UM9DR)&ONJdjJ8p9$9z4lmtH#h2*zEE-QN&Y| znp2s>lW?Un9_}_*=2VuJW*AFza&jswD=RAeRf8ibS1(;*T;&beZ(8OVH+nD9rU>OK zY!vBgF6C;{RTd-#3PdekJ#l}G?anxKZzVNhPoY(gKJ6-ORKOK#12ZW}GyMmKrd8=3 zGB56heS@-2ObJOt&aGASI5O=T3wjMG5LL3BGZMM~+U2UhZCysH;IzuTUNmC@Gzwrs zUvBfl;2#1LvmI=8c^n9iV<_yvyk4XXON3#y6|QmlU@wNjIB_8>-rGRJpKRB8@3<`qo68PZod=_`ryWxT7nV zsqf{hJm9PL92fx|h|LarT~^$WcrX}sVP4qj!eOt^?RI(a|KZk~NV%AMlW`HfX}~*{ zZS$k955JQd(#2ZBh5I+kMeQx7ucUpp7CpA$qn|Cv(JzDcm9+sEmdk;@viwJeW*a~C zxznc}4EuLR(W8(w>q(klDVk-sS&#`R5S5d>{P+5yEz`E1+;N;#$);5{_o7)JpcxBB zV-6?Ooko1m&Yu|CxSQ9FmRoBEnkKCNPe|HUlJ;wg_TxJ&$O#mP%HPzKSuzq|J9rZ| zmsEL$R$0=EwlzRI?@aH}gXpwLZaZRgrofhR#N);ARIrfaNK@!ukZQHN{1{4kh`h^q zD2&MC#a3O|`BFQ~4(Z`f(!+a{hp2nZQf`fUx4E3ju+3?=IWY&>qUra~hXM^BO@hv$K!^XzbkuS4vf~~` zls~xXXTKY)qlS;}>8Ry_jymZ+Lv!lWseAvjaNwZFvv)^@q=_MEYAKqrzpoG>wQQgqV)FmwZ-4_}}t>pb?! z$$!lcNtZ;@l~Z(*2TWGys`8re+<3OWrg+owpjjpLWTg*eRq#7Qb8=_o9i4sYtNR{V ze+o&%BWbJ@&4z~zP2L)vHSZp}c$aEbeNY-+4^3f!ChQM}#*Z{bythaCEwuIXxR5jg zk_M${20UhlnB6}{H*RVT`&{d59T9AZ2^R!tV$T16hnNXZ7}||dGp0?>x^`mA8$ZT` zq$L-YZhD;-`zH%B5>HvgRzdS&^{3lY!dm*b6p<=fw91xVv_0#zn)iASF^Jo3w^E#VJ`ai8 zK;XK%DO^K18#)UVh*EugbzQW__D;0@%~n$7D6KN37j8oU7hm^3Mm{iCBbIUpXb0h1 zZFY=U3s2#u5|6mVea@lQ#e5E5q~{4ZA|Y557jqEIYUW!lJONjViuqQdS!|IAC1ROX zEHm>2|EK3e1>LCc_XJUuqFctclDz`Qr#CtK@UWmyf6| z=dQuu3qxfUAtke-_eVZtv3qV|?}$;;cU&lY*bH?P2D^nLq=Br=Ie}ZamCev3D!L*i z(ABMTUN^^vq)8@eW>GZz`>~;gK!K>Y;&*9(8kBuwAQI6*s?4TU=JcXT4$zFd1fFD6 zUZp}&AO|nCT$7nwl%dAt7L_F3TLzkxYVZSzLx8&gufrF3$vO%B(`8QC=yRS3C0Z9P;7{eQ_CTD$AA2RVoWFg}w%z1!v z_I)Jd>}}KPv;$`^EXf&kLuoag1YmGIo*(Q_OnPrq)t#*Y2EtJW;9#h6_VU6kS zL|S={D-Sbj@(M(hv#24Avs+p3m;6yMC3fG6f0TrD<{_O;q^HVf7-zBPrzysaeP!(# z)2)|+I`agat%-*qxw^QvEX#>msxo}DH70?+Vs^2kh|ANZ+mud~LF%+Bs=U=Ml~Z7L zYvn4f4CQL1Gt73eS)9uiquDB7LV{LosC7xo{gkuu(Tua&d4dT4zAbOnoxZp{q_Y;n znd2PgY~-_SFe5=^eJ^kMa_hc@1voA%x2kSjP=CrPu9qNy9fhKhj#QLi>EO&Nds+LdX0 zT@Of=Tv}ygFPhE(&7JVjD>x2^o~~YCc;AU=S|;p@ZK;9(9rDSA^@QYILGhj&$)q=( z^TmE-^Kqo$@2wYuruU>Ly}t$0n=qQ8dDGn#{~CW~`@4^qtPM%iP0}<_G&9Grp%kD% z)b`H0ueS`FxTUG?G_~c$p;Zp|qUjFM#Nz}Fy#ui`h5;(KA1zVbino}nZ01lvY!(Sb z{~hbXSmtsrjD50v{k$&AzJ-akPhZYHRRB=*gTOvBm)xUIhO2y-4?|(Z3yacuG8vzz z;wmZLT$tfadw4%Crfpy5J=5M@!M0A>EbwjhB(IC&oi&c#v-_-TO4!)HdYj|$OwW74 zcAse#!24GR1XcNL^y6Ojc!tRK*mNRr4#5milK6X%ol#fww> zC5{@r`PBRRH%S! 2.2.2.2:25 (tcp.initialize; mss:9000;); +default < (content:"220 smtp.server.com ESMTP Postfix\x0d\x0a";); +default > (content:"EHLO smtp.intra\x0d\x0a";); +default < (content:"250-smtp.lab.com\x0d\x0a250-PIPELINING\x0d\x0a250-SIZE 10240000\x0d\x0a250-VRFY\x0d\x0a250-ETRN\x0d\x0a250-STARTTLS\x0d\x0a250-ENHANCEDSTATUSCODES\x0d\x0a250-8BITMIME\x0d\x0a250-DSN\x0d\x0a250-SMTPUTF8\x0d\x0a250 CHUNKING\x0d\x0a";); +default > (content:"MAIL FROM:blah@smtp.lab.com\x0d\x0a";); +default < (content:"250 2.1.0 Ok\x0d\x0a";); +default > (content:"RCPT TO:test@wut.com\x0d\x0a";); +default < (content:"250 2.1.5 Ok\x0d\x0a";); +default > (content:"DATA\x0d\x0a";); +default < (content:"354 End data with .\x0d\x0a";); +default > (content:"Subject: SMTPbelka-test_sans_name2021-03-08-17:28:53-221a0d8d17b3b41e28ec113dcabb55da7bdb03a8c0bb5d3de252f5d69347aa4d.zip\x0d\x0a";); +default > (content:"Content-Type: multipart/mixed; boundary=KkK170891tpbkKk__FV_KKKkkkjjwq\x0d\x0a\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"This is a MIME formatted message. If you see this text it means that your\x0d\x0a";); +default > (content:"email software does not support MIME formatted messages.\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"--KkK170891tpbkKk__FV_KKKkkkjjwq\x0d\x0a";); +default > (content:"Content-Type: text/plain; charset=UTF-8; format=flowed\x0d\x0a";); +default > (content:"Content-Disposition: inline\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"Ceci est un test\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"--KkK170891tpbkKk__FV_KKKkkkjjwq\x0d\x0a";); +default > (content:"Content-Type: application/zip;\x0d\x0a";); +default > (content:"Content-Transfer-Encoding: base64\x0d\x0a";); +default > (content:"Content-Disposition: attachment;\x0d\x0afilename*0=smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13;\x0d\x0afilename*1=ddf80e995fd98ae442f3be499ea928c67f..zip\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"UEsDBBQAAAAIAMGLWFIeAcE7CsgAAADIAAAdABwAc2Fpbi0yMDIxLTAyLTI0VDE3LTMwLTAxWi50\x0d\x0a";); +default > (content:"eHRVVAkAAxmNNmAZjTZgdXgLAAEEcQAAAAT+/wAAAAuA9H9xrzNtrXD6Avu6lf86JhdtXpj+V+CV\x0d\x0a";); +default > (content:"TQ3MBns/euhyQpaFS34j/1zGPp95UrLemiRgwzVyovXXbnHVAfflBmdR99srXFv4q5T5s2Lk38ZH\x0d\x0a";); +default > (content:"VUTKzuXSaeVqtozS6u9XFMZZT/8rYwuqoJXTJGoIAVRFVbljGJt/7YX05QOtUCjS5PAKoNeVMNQ5\x0d\x0a";); +default > (content:"AIZzgHnecqFuvMX3TjvZmW01SCiDnEU8nfBqsxoEn3bpPAEP9d0M8Ybl6b6L06dJEu++P6Uzo7hw\x0d\x0a";); +default > (content:"b c ;* #$%^@%)(*- \x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"--KkK170891tpbkKk__FV_KKKkkkjjwq--\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"\x0d\x0a.\x0d\x0a";); +default < (content:"250 2.0.0 Ok: queued as 5C19921E0D\x0d\x0a";); +default > (content:"quit\x0d\x0a";); +default < (content:"221 2.0.0 Bye\x0d\x0a";); diff --git a/tests/bug-6207-1/test.yaml b/tests/bug-6207-1/test.yaml new file mode 100644 index 000000000..3c8135c35 --- /dev/null +++ b/tests/bug-6207-1/test.yaml @@ -0,0 +1,30 @@ +requires: + min-version: 7 + +args: +- -k none + +exit-code: 0 + +checks: +- filter: + count: 1 + match: + app_proto: smtp + email.attachment[0]: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip + email.status: BODY_END_BOUND + event_type: fileinfo + fileinfo.filename: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip + fileinfo.size: 286 + smtp.helo: smtp.intra + smtp.mail_from: blah@smtp.lab.com + smtp.rcpt_to[0]: test@wut.com +- filter: + count: 1 + match: + email.attachment[0]: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip + email.status: PARSE_DONE + event_type: smtp + smtp.helo: smtp.intra + smtp.mail_from: blah@smtp.lab.com + smtp.rcpt_to[0]: test@wut.com diff --git a/tests/bug-6207-2/README.md b/tests/bug-6207-2/README.md new file mode 100644 index 000000000..11f5f4271 --- /dev/null +++ b/tests/bug-6207-2/README.md @@ -0,0 +1,19 @@ +# Test Description + +Test for the edge case that should be handled properly by MIME decoder while +following RFC2045. + +``` +NA= +=Mg +== +``` +should ideally get decoded to `42` as demonstrated in this test. + +## PCAP + +Manually created. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6207 diff --git a/tests/bug-6207-2/input.pcap b/tests/bug-6207-2/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..89ac39c671231b8d055c6e85bacd5150127980b7 GIT binary patch literal 6750 zc-oDb2Urv58^8}-Gyw-VP!Lb83k+lsNCK#guvZ~a)LOjcE)anvB!`HtR;zVZ>!__* zD;6BBE!ApWh^<>n7lPZrR%jJh>p(@RO27NQJFe!T$v+S8L-O76%kO>fTX&p3y7Mz< ztSiR7+S@VA3H+As-%f6A5MV*zJrjx3J${?!GJKGBO-?TtOpRfqnbRh8r)!?abr(ThGtwP(S%AfWMkXdm3s<_AohzqT)CnO)$x`-rN&&j-4q%u%HZcYH z8jQ4sKyndRc)1ppT(I}Ul;};NqUCn4$RZHlP%azECH*GAE`UZRDyzOz<#Zie64K*b zHKhE=Qbu)30dg600YxqrLAQKD%M=pWftJ*`RCQupa$Ir@`kWp&NsUXy(m*kIp{C5V z=!xi^T9cN{o~8*;(`XXY+4khv@Z?B!6lm3Cq(`Piso4XHh&WABT#_1nic07H8eG8) zO|$}j!Xsldk`s^sNVNDWU#{lIoBn>+ax8e?$ESway_Vi!82K^fvQ(pTSsMjdIyk_@ z#%mjYOds%(VEw$UIgp}eDV3d4K)F^%fWZ?UmxxEFr6j4e`9$sno63Q&_@Idwy>qAK z$(M%P$BvkVF7~dglOH%)2}R40=;Gf6SQKbvqTq)k?|;AT%z;IX-~SFNK`f=ZQwk8p zBj9z#rT!9sF`kl#%s&5vH(T;aG`+lPebl)T@08drp%QSB*-B)#<(dFXWac6e0ed#l zr_?7amM(Cwgp_eC<=ajvz-&MzhNVTOYH&@8il(gegyJHauidfhyy5HT0+-%+7P9XNY$7@c59acxG~VI0GT!16kws?026&4mY+E*Z0Vo&c5M@+__LH_ol=0=PxTf2!+DPIgK@)hffzHK4Bh$u(CPt6*=iVS;>7Tr?e&0NETcd2t zls7)Fvs=Op@OAl6ID%cs{t{r{fCEgt?|HJZS5oVC*G9`hNU2~cDV=$XL zQ94?MGt-Th%FiQ2Oi#?V5=Lvbktm>~VyQ$VmWjj)ktA3pRjA}LkyI)n#H50h1Z!p5 zKnW#PP&$c3M(PNyRxT%rU@fT?%Ls)|3_g=Gl9I}$dN~=Slm!M8L?G!u(_ltrh`!60 zVbBJrthw=mE5DQmEwp>x^1;b(-;Ng_lc5LW(a-sd+gor$Jm+qyfW_&D55Et*yVfR?j@@I<=I1 zqI75j*VaOI9?5(tz}^J}CQer#Z7!bk>HZ;S$-a<6vy|C3Hr|{~1V}=YYp~+rhrpTD z4%eG31q4k~Bwj#StwavxkK=KAyu?(5TPX^snX_qX28|nNa0cj(poyTF;}(>c`4OL2 z+%2c&*^z%ulbSQ1I?O8<<`sbQA|DGdu(yHHU~RkC)MtEX4lS@iik79Uu*oZz%WLL2 zuo){L4Eea#q^FAs3x$&=%8DCJG;S?2n@tw_KeDy@qb%NT<+HH7wtv~K+KX=8a`766 zS(Gzbm>;1m3ZL+O#iQyAGK{{sq;&D*Wp?{YIhTd5k?Si9pYk?SYhDPu6C18CCG|ZV z+H8V0Ey(7bHUXB!^nDP6eJNSPLGM0KDjzO^lz5i%xsA;x&c+AK#v+lUk;Z(_n!kD5 zpcNiloa*n(W{h-t=+O2Av^|AvS3DD7MnGWVyF=$2Vs<2-c;Z)^04Y;h$|@V%6P)er z)3&n*(`f_D`Gmn3g6nb#iK$osE9dlr%b}lw&mqcSHJhvk+F&xOaDy@5 zV5E>}TRShRUes{Zr{>%Cw#0q~jzpckpy=C3^bWWg;5urS(tSkv&DfZwZ&aMH*HN9l zIy!1D*HK?M2|H|7Rm|C%Z&Z3__TEwA&}J~SnTc%fI}5Q`KwzRat!D96fm_dyRB4AH zMa5F~+1L!`Y<7+VWutTk94wf4kr8JWPGslQmA9+E=4ZvOXbYD-AF!MpMRt$6 z^0m6BxiF!>$Mf0NVNGAytyMrrtu$P%+`98N%MYgYc6sqZdCZ-?haK8Tpp72cbnC&} zw7O({+`Y1GU)#jpa=SK?4x2R2W{3-KGrLb4CKO_s zfWXA1uwR!QnY8?ydPC3MkP^#Mw%OQr?9)n0ZKoK*Y|c062xgE5fW1@*a+SIAuJ4a- z-u_iK`I<6ute->IBIr7dy~B4Cc07=1{d3x1M`G9RiJ!ao)t4Vg*tiyPuA005adEVFdie9oiK~ZQD>+u<;ZS!iqibqMy1HIM>@3p> zK;Tc;rFeh#t$xb!m1q}G!%}>0bk}mabj5$nd|<66bh!nf9TZn@$fuaSu&+3bxy5D1 zxd`oxr6Q?ZBaw;ZfnZZSNkmY3tyHg*$ixaVNU9Ii2I+zWgM*a%Af;9!`!`7vMv{7k zm{Ka`dQzz%sK7v}UZ$l2l}d_GN)@`GV7))TPu|^|uhs1yo}g#ZE*Q$Mlx{^Z1y!-qq=pgoI-r5v}hQE@gG!SUqqFeFsnmlry=!}qJ{ zH`dJh+I{x}heG3_P!2uF!Z+=+He33rosDLMQw4LIvB( zp36$F#*_L1yBrEdL7{XcbYOrGtU?%!KbG$4GU;US*&_pY--48}EailaP!uOL0{m4N zTcBD`-lxjy9;9z-ezMV6SL@Ix7W$+hpYI3q{b%&i`qP`dROeSOjBc{qe_}iOPYBn4 z8V2z;;<3BK&mLdj;LZ-+MV&?X7l9QWdFKK|;#;=Ak8eOr1J?6+$Z-(jQVY%X~7 zHiHX`H_W$e?qlrkGsB@xBD6_BHnoF=*d#z;;^u*D&v%0S2A}e;x&SGOEM<$0O(JJ= z_XEcZl1PMnuln%5g-wszW8d3yySdw>NQb^==sODe{yK!OUQZ7}7U7%eW4Y=w+-~*E z9o6&Ts@I6~HgU64>jw5apV}q+(lduP7HBg9+0+l^hh8P|<4-GE;`?n(q+IO|Jqu^! z>%`cwH&kPW^Fo8v3;REa{Y7JZG_}p4P%#w3kr4hWe>q20wZHY#{PAR;!`G@`zMP#> zfROuq?y;E|K5|syg+){mxcMWjxI9v#R7xdkaTL31kKlc$n;)(2;dWvBg(>IF_MQZF zDF)xRg7GyzL%zdD3OgRA-O2YWYpu_y-P8BdV|x$NSPJl6&<46vk%8U428`m3R6WbD z?5iXmCltOn*=_|_0NyNU^cWcp9W7+ehhg}%U;S;T);VtF>lQ;wFiSbmDFqmvT+IAq oL&8=tqJ+H(QI6r&UTq1PxTy5H?z;MiP`kyN1;Axctr^4q0Z-KLnE(I) literal 0 Hc-jL100001 diff --git a/tests/bug-6207-2/invalid-base64-mime.syn b/tests/bug-6207-2/invalid-base64-mime.syn new file mode 100644 index 000000000..d8e9a1498 --- /dev/null +++ b/tests/bug-6207-2/invalid-base64-mime.syn @@ -0,0 +1,39 @@ +flow default tcp 1.1.1.1:5555 > 2.2.2.2:25 (tcp.initialize; mss:9000;); +default < (content:"220 smtp.server.com ESMTP Postfix\x0d\x0a";); +default > (content:"EHLO smtp.intra\x0d\x0a";); +default < (content:"250-smtp.lab.com\x0d\x0a250-PIPELINING\x0d\x0a250-SIZE 10240000\x0d\x0a250-VRFY\x0d\x0a250-ETRN\x0d\x0a250-STARTTLS\x0d\x0a250-ENHANCEDSTATUSCODES\x0d\x0a250-8BITMIME\x0d\x0a250-DSN\x0d\x0a250-SMTPUTF8\x0d\x0a250 CHUNKING\x0d\x0a";); +default > (content:"MAIL FROM:blah@smtp.lab.com\x0d\x0a";); +default < (content:"250 2.1.0 Ok\x0d\x0a";); +default > (content:"RCPT TO:test@wut.com\x0d\x0a";); +default < (content:"250 2.1.5 Ok\x0d\x0a";); +default > (content:"DATA\x0d\x0a";); +default < (content:"354 End data with .\x0d\x0a";); +default > (content:"Subject: SMTPbelka-test_sans_name2021-03-08-17:28:53-221a0d8d17b3b41e28ec113dcabb55da7bdb03a8c0bb5d3de252f5d69347aa4d.zip\x0d\x0a";); +default > (content:"Content-Type: multipart/mixed; boundary=KkK170891tpbkKk__FV_KKKkkkjjwq\x0d\x0a\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"This is a MIME formatted message. If you see this text it means that your\x0d\x0a";); +default > (content:"email software does not support MIME formatted messages.\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"--KkK170891tpbkKk__FV_KKKkkkjjwq\x0d\x0a";); +default > (content:"Content-Type: text/plain; charset=UTF-8; format=flowed\x0d\x0a";); +default > (content:"Content-Disposition: inline\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"Ceci est un test\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"--KkK170891tpbkKk__FV_KKKkkkjjwq\x0d\x0a";); +default > (content:"Content-Type: application/zip;\x0d\x0a";); +default > (content:"Content-Transfer-Encoding: base64\x0d\x0a";); +default > (content:"Content-Disposition: attachment;\x0d\x0afilename*0=smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13;\x0d\x0afilename*1=ddf80e995fd98ae442f3be499ea928c67f..zip\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"NA=\x0d\x0a";); +default > (content:"=Mg\x0d\x0a";); +default > (content:"==\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"--KkK170891tpbkKk__FV_KKKkkkjjwq--\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"\x0d\x0a.\x0d\x0a";); +default < (content:"250 2.0.0 Ok: queued as 5C19921E0D\x0d\x0a";); +default > (content:"quit\x0d\x0a";); +default < (content:"221 2.0.0 Bye\x0d\x0a";); diff --git a/tests/bug-6207-2/suricata.rules b/tests/bug-6207-2/suricata.rules new file mode 100644 index 000000000..da357e39f --- /dev/null +++ b/tests/bug-6207-2/suricata.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg: "Test file content"; file.data; content:"42"; sid:1;) diff --git a/tests/bug-6207-2/suricata.yaml b/tests/bug-6207-2/suricata.yaml new file mode 100644 index 000000000..e1ced9b5f --- /dev/null +++ b/tests/bug-6207-2/suricata.yaml @@ -0,0 +1,24 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert + - files + - smtp + - anomaly + - file-store: + version: 2 + enabled: yes + force-filestore: yes +app-layer: + protocols: + smtp: + enabled: yes + raw-extraction: no + mime: + decode-mime: yes + decode-base64: yes + decode-quoted-printable: yes diff --git a/tests/bug-6207-2/test.yaml b/tests/bug-6207-2/test.yaml new file mode 100644 index 000000000..c038e96be --- /dev/null +++ b/tests/bug-6207-2/test.yaml @@ -0,0 +1,34 @@ +requires: + min-version: 7 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + app_proto: smtp + email.attachment[0]: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip + event_type: fileinfo + fileinfo.filename: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip + fileinfo.size: 2 + fileinfo.state: CLOSED + fileinfo.sha256: 73475cb40a568e8da8a045ced110137e159f890ac4da883b6b17dc651b3a8049 + smtp.helo: smtp.intra + smtp.mail_from: blah@smtp.lab.com + smtp.rcpt_to[0]: test@wut.com +- filter: + count: 1 + match: + email.attachment[0]: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip + email.status: PARSE_DONE + event_type: smtp + smtp.helo: smtp.intra + smtp.mail_from: blah@smtp.lab.com + smtp.rcpt_to[0]: test@wut.com +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 -- 2.47.2