From 1353d1ac55d4dd0c86574a5bfa3d019e95ab8432 Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Fri, 5 May 2023 13:54:15 +0530 Subject: [PATCH] smtp: add test for long DATA post boundary --- tests/smtp-bug-5981/README.md | 12 ++++++ tests/smtp-bug-5981/input.pcap | Bin 0 -> 38789 bytes tests/smtp-bug-5981/suricata.yaml | 14 +++++++ tests/smtp-bug-5981/test.yaml | 64 ++++++++++++++++++++++++++++++ 4 files changed, 90 insertions(+) create mode 100644 tests/smtp-bug-5981/README.md create mode 100644 tests/smtp-bug-5981/input.pcap create mode 100644 tests/smtp-bug-5981/suricata.yaml create mode 100644 tests/smtp-bug-5981/test.yaml diff --git a/tests/smtp-bug-5981/README.md b/tests/smtp-bug-5981/README.md new file mode 100644 index 000000000..4d4bd09e6 --- /dev/null +++ b/tests/smtp-bug-5981/README.md @@ -0,0 +1,12 @@ +# Test Description + +This test shows how we handle long DATA lines for SMTP. + +## PCAP + +PCAP comes from ttps://osqa-ask.wireshark.org/questions/33094/extract-an-attachment-email-smtp-cap +and has been modified to have a really long DATA line (6512 Bytes). + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/5981 diff --git a/tests/smtp-bug-5981/input.pcap b/tests/smtp-bug-5981/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..64e9c59d0b23c9a58ab24e932121ae82aae05a0d GIT binary patch literal 38789 zc-rlJYpmN_mUFzyz!*7`I0D+5=l|d#&JmTp|>be z5+&8H^P^3g^hYN}(b`RFr+|MnK^qvZjkH0FPTl^gTNjOCxClCE(-uWq!$7BqQv>lG z-|kI{=jiC1qjT;!gVcaF<yM{PwrjUVH7=+4|bQ`uyL&6S*5XPj@3vz~g(rs2b?% zr*{(hG5pC-f9b6e?mzw9-*{_;jYJ6fvoA${{w+^F|H?mj;_mOgP6C_|6QaHF@SnaE$-m_@KZ1}D;+^t4zWcS; z^8XGZ-u=0EJ$e*>5TFIj?m&#pPA)NfPX2A5*#{1o-Gz8xk)D3^DEsXI1yTK(om^s6 zdH5y7=+oakVDuG)Bt7%!(QkY#5=kbBxI11r1d+Hu*7~FS>-8E5Ja(t!I9n4{DHcU} zAq%rRxx_dt|1M&D=Z~&n{D&~F-}?{$2)JX_(KT%Zlu76a!`RZaqoHsVo~%xsH?@eP%ZG4xFi60Y_&zYS}pTz@V&%KtiV_J zO2NO5=O|tkd65k`z6Ellc5+Gal>Fa(#sAl1 zr1gV`zw2xLe=chMK!&IvL|T94pF|=gnTj`Bl~H$`?&-~XCcu3w#CvHcmzXByKk}J= z{ebBQA$Awy_Fwy(kw_=WxkfWh1bA;d&hzV6xz~d(#C#s{{LL>0JnIE++a--vcP#IC zMj;-vlS@1^$`ANFUpe6UJj7l?+~(+CL?Vp=mlRvdMl7UW3^3n*ta3j0@S8r@|9QZ5 z330Q2g?fJ&JP_79;91_uB`o^kw|%THU5N$t{vlXCNirRu4qu4d)40|%H6#Aqhm!Y+ z`^57B*%$s@n*Y}|I>V1J6qP$P9{T+nzonN{R<*Qj(Fs3uw+*7C5 zl?*qZjvvIIZTWZO=+O?T0s*zv{goQNmmWc)dCIa>6ckr~$( z3$5E5o0EkLs|%wo%m?wBws;|)NX1LbQ9MZy*?59@KqelL**HeP>sS

w67z?)ImX z2l2#xc#ED+77*l~x^W=F*oW8V3w+#Po5oMYqHoiu%ZZ`QH!nVW52hDCS~1rP2|n>r zf*_E>77H!=VVKZaSAH>CecRqEe)*@cDtbW&wSC@;?6jgg_ z*&iA41f+34olZb5YHtn;{T@Ft%=Lpf=vwTsVS_=9Pqdd{p*F{hw$UqZhYKs~z4)S^ zNq=ls1@=K)noo^o*EHhPW-rIx*YQT?K0(}1=HY=%kU9U&+C8AIS2 z#`}{vGI`vZ&d1u~K6?J%y<3~{uy7Xe72FwV{Rt|UZcm%L=HkU?m+n2y?e_c6?ma)( zCaz`9@3E8a)PU~uAfDCx3zYwvW9>OmT(cqQkH^19ewyQq`dw`SoeLkk_ZAb=LPRIp z*nII>uRrlS9)`9!PE^-iGm|=hgz3A^)a@^PmpvzqkS*w8SE0wEW+{j9{W=e1O{M{0 zL69i_qio8Q4R~}T4dmTd%oKjd+n@^y=#m}DYAs#Snw3o~s*{yfXCm8blXG-BUDZit z1Q-^gS0NIU10DeIRhV1=Y?KR39vJVSO;ChKlo3t9FbQeYJFN<#HPaKmsEoR#;^^b9 zE!Mz>XGFWqCK7s4ak_=|h%a!2QQ!tzAu-Y?%C;QPr9q4J5g{7Y_BC7QYDyE(6@Jj@ zr|3jQ(-OTTJFnIf_{x7no>qMhlnugE_tZH(l*j8~zb#^t2E7>!R;pO`4FV{6_eKho zLCV+4*OCFA7|0ehjh6A|CluqfCPU)0R z>6A|Cluqf*PH6q*ha-{5YflAoxc>6gtF=%1>o0%p;`+-c65;yG>SrSn$=z1$;uOqe zCJnl3RxSfep7}GXU`Feplmj(6QQ!zl=W2{eP3bnE2p-s#S}GyZsV%#rO27b~XqQ2& z*ye{ttEPEN&|ze;T@XPXxJ)d{ddno8q?R48C|6XYOBeEetyi>-A~kK%(+M!BI+dmf zIz>%*#%=O4BWu6}U;tRYz)e>2V$Cb9IX&acv8YY4JwQz$MG=q#%u><(rw8b!3;<^X z27plq_;Z{t0BykYpdHvu42?$>f^(JgHT4tifuap;JDkk*!Y|n1ZE9K%@4y`TfTls= z>~fc4Q6+er>V=cwkOO;^Lxwwh-2=6K2C?WN2bSOCKxtQU*fD7DGZ1;e$D-GA;LB$m zpb1jPtT0F+25jIV{(QgIOpo;qv98##z?jStPIS}f|%=X`~?R8*~2+?e?}ef6lUlA=lv%+klV>`KfAL$d{zN6FWE3l-G**MVFC^M3Einc)QZ<`R_2|S zyf6ysQKz3+wwsBO(5evK@n{)~b~b6R-BJe7PZOijVwD_#x?RG1jkMR(WuZ@0)@3?T z9~m=lR_WHpTun`K<(Azm_Z+(?sQPT4%5Im*VH(h}Xt|@z>dhr>)w0&IF`mxssn8)E zY20<_%v>AKmR**sOX_x{=7?=e-fC&bm^2qovo4jXnb}x3I8z&^r_ClTg=NMXk4D;x zN;<_-(zH{R8P%HQ%5d-JS)t{sitXy|JV$i5cxTcDlH35 z<+frhI$JGBMa!J9oC0~q1=Xs@E5N$O*VRdnvFJ($fsiQiAZnQe7Jb51f-wVV3H=YXQ ziunI2KmPyX#rXeM{zn-9Uwa`EsVSBuubFONsY$K1JX5wp9p}?ja#&3kbz7}aR?fDo zp6iZAP|tF6KIktUvaTp{DJ8SAH=6P}yoM7jFq59u14XH!^@sK#Ghp(}FypnXd`X{r zTLo~A32as>YR&nGsrHRnR1jLw9&N)O^xDc`xoygFjY^ki8+}QylKi}}Et5DqGE##= zve6xvnxaf>7_+p=5+ze77U_yOW*2VGFvqYabd;*VsukT@iW`2YGUBwivC#JYBMTLv!FJqG}A(cOqoKe-riKZbeR}nlAW)2XA^xTtb5XEX?2p@S{`W0QX_{a2CMdbT?V{r2yMPW z&~$HXED{oyn#ZCk-JQDLFh7x$Jib(omC3D&&1ENrl?caH+O9OuShKu7rLKer0f-3Zl=suQ?1vry>gA8#-hDdKi{Lv zbtU1}6F6C-J!dr8=CFD~n6ahq!b)0hHJezj^^8?&l5ODTK~`87xPn|WH;awH)ibRm z&JPzgITls9JT|~*WT!pR$XabQ?@TMT8K+vg*7EB_RBEiAGU0?*;84&FeO~SDpAaT41c%OW5odcAI$D$Z)A|)I>=Id32`T+_aQous(s044e zi?I1CQt(Om1~g(@g4c!M+Je_z|C+)4m4Dm6bZt>M%-WVxMcmuv;OCe_ z4K{p=Ld6GgoR`~v38KCrHNLS7>0P;<{||w9gWXW%|B>U7|L^*d{}(Ps{$Ku782P{T zdL;5j3-GLGvd@X4>m#U~e5Fufx6|)X$ls%9&}`4<>B~s)KI)92@06*sibabPV=Xis zjUIx`8EZ-o-oC);vAq`N)y?7o3KDpYazVM_s1{2rd{oJjl#{UlKURE!&+u%CM$g2e zlPYvmc;|bnO1t+ja?_HDxz?UF$d!e!EDO0Tj(DIFLiz7McY~(B&5o3*FLLkv^F^Bm zrBH5^B;Pw8S6lczvK2t3<;z%s+;-M1q{rRX3}gUYhwGFdD|UmX_>a$3vP@7?P_PoNJ0~fKdIKg`(lHrgO&t zMMgLuDWC0|o zT|g+|XCx>`bdE)l4gAg~W%qn82ON+Ekoc`j&<@Dg)#-p+$N{~9N&^Y{jI>6%AS)nk z(K+OXazIuJ>%`^yi6U}=PR(!CiP>X-azPS{qAOJLC}tvCAUKeA7FzKu5=k82?ZlxN5Rm2p@ip&*Nd_d}k( zulh0Mje5gjWIzJ@M$-A!z95dMXLDFruPTYq7j7594>?>XK|Mt_IQ-@&Z@9_=7rEWQ z0Y!ea$>Q@*267nrpZsj?*HGkt{hwWo{D1oiKk`5G=mY=wHzJW+Xn3dz>Qy13_!@J} zrw;W%5{rhPZjxiR41F*bMQzPl4{C25autW0+OwcNxK6G@MZE^@nq05;GlZ1Ja1zO( zrq|_iq~8I138=?#vDa{$zU1R*d8|K<##gau8n-4;NHoIneH-=!-rTB_5`(ws2_d%H_EW`)3|2~iF`jV&y|LD=J zg0GwYPOj;}POjfVbGFjcfBYK3>~9tPvEx`HAFFp6>tzvP{lu&LSnofMwe+z*dKv3e zAD5nf{kiuo_ObrV(f+9#_4}vqy%?oFb+#w$zkD?kiSCaeOS9$Td>kE&1H%y@64c(I zRv{ErMyM=M`Ji!7EE!1w(%b5CYQQTeohh>MHq8zzOupS7%?~-V?^yWOT$q}|K zE*Va=aZEQX1&_)2^La>7X@LWlF{TNFbGLyh zain;O0et7?3EOjtDBYCXqZa~BaW@FCosqkq~=oWulnuT zP#m(%roA;qu+|bnr!kZ&cu#1oh)ucQsU`G8k5Q~OyNE@nZe!R0^0?e-r;Dlipo&$p z*==&tv)Y@KQlmShk!I%k?AEQMx8i87Zby7mPPdocY%$-NtgFq1SZm0Wm15*#(IGpZ z$*Ymkv5Jc2vD*=$OZjDOkaK&Uwe`{!SFy=WQPY}qA~BuLTbbFKN$_R4KDDHNZe?%@ zN)g?Ghm-4AG$9Q8iQa748f?o0b27lo-gv<0M6uWzmnmK8j=GZ5?^H>p)xfy^dX&Hu z+yI-^Y8qzhxackT!n)1Ud~XKFj)QcjorD9HzN6*1ygm~wKHX3CHffC0SF^n9a-Eg9 z=(W7!h-!clRdXrJS}M7rRPApT7FTs!RBKqPuW@q;OMwA-EF~nisy-hl6LqdYZ@jH5 z4U6KEWt+|9#GyrE;%w^Oj?`+J&2d#IS7s>kf8coJf4d*~fB0hL|IFEcqj(>TL^>+h z!fQ-M_oRsjt-k`2ZO5V&!Q7Ol-nvRz?TX?k6C*#E+W00pM;)QEW;&iUR(c#aDssKt zhG~#4sBM-BESD*oW|x+RgCw5?49VBCu_(8h&Sxp2*pl-lrO@T9`p5=LW|K7ySKqq8 zw(XQOa^{`+%8*;?FwZ8nn!eK1iX+ieBb%E!8dqsx?bKR>txGlsJuKTOI7@Qj2n%gs z0<7NE^tw@%XeLXKDn+`(EK8{*4jPQjuEySsWU*lVeZ;B5+EO0VFb>+Nhr3%{+W+4O zVS@f|hTcBz+L9lMg8%FI6IfgF(Wo2NX>Pr?^ryb2bjH~~_y+gGlNF#9FWmWFt|8hR zLhv~;=$blP-73P~Ot`xAC$YA4gWWuqqCB)tTW1*1zENV)+dM^kQ0zL5kWmiTjpBAQ zMer#W*evIHg@TtV7Qq{nSakmiAt6M@vss^q&0cGSt+Od7X4NKk*(qeS;391fE%k4 zZp@3gF)2V{@k)zA5{rhPZj|n}8wB4)9Gn+ywu#*GYy8_67QEYr9#OX5aE}0PkjOEKld5CM8t1$j6S_a$cQ4J#^e0)R8U_ZC{(m;IYpl zWDxk-O&qpD)5&8i6F29rkjGUl5Vza&xXB6^Yx{Pt&9Lg$#?6&>C65ZuV2g1YTl7h6 zVJ5JJw!s$7HMXd&uzU^nu;9_fE7dv7A95&95D%Y&bGwotguaVa@gZ)K2GaB*4`Nwt z5{qoj%a%n?%apuwlJ`Z!%4?xoStK%7G~bUY^8?6`(?mu6ThffbrpGPoRb6T)VRNrHo0O#dn#t%|z1F6V&T za9-|ZvnIRm9mhCaVldBmm?h0&DOknfRXpM4qe&D;kJ+VjPOH?5y!l7vxKXo1K?%tcy)T z9@jCry5&o{rJB0=HTVnD+oTxB8xRalKLwa~gIP7I7eEb~n6t#zNo>EQbwIv`pq6 zi$k}Wz*dtaZdo4T3L-HtIKW6pp|dK zAuU25T#b_UQ_UVuTL_5a8&15kgaoA=Lt$?I4*x36F zt}g{F>&(J-^0rn8JR~E+`rvaQb60Udr7;{L}pROb_}j4 zg?%2Hnh~z#AT$)bI%({;*82>CKKL;X*@_AdIb0{P=*HQw*t`dOSqf}b%1xMO<*9_B?B(<0{9!ys?ZHJJhyz)=T}k9B785c+f?B?_s~qxDR9jG; zMX>`#!XO?WwhOQiXG|2_kOaKDWda6e*rP8hpu~VK3&-r&b6Cu|eGUf#S*+5C0pd0w zpul!XUqT)(Zb`7WAdH|4^Z9|8*9+^sHk;*3n4Nd}ZGvCqi#=9gWScu=a4}luE30E1 zP<`F;Kgxhq zJe(P)vNb7N$`{ieF-7vjB#{CMr`6~bDZWB`b^+Me+cLk%@}V9V%JN#Po@*1>6k9Qq zjGlq*>%zvh?i!nc{(^L1>mqE}4(kzR%B!D#IVi`2x2qt-6F9rkQSYjCVH- zE>!BP)S@BQc%73|0xh?>LknDP`LLx>zKO#@`65pzA(I5+Hre7*ah}O#7O)>%U-3>a z$Ug`3?;>BKZ<I`a3liT{z{X`=WCmMrM%9$n3v5Zm)Y(Nj$Jaj z@jT<2vvjUDO^by|YL1OkdS*ywH+@nV_maA4&v|3T%0&5=vroI3uT8xkte8mt#K!rG ziPM!Yte9Lm%ZK*4T)!gX&+RR{h4kcX?~vLJ_XZVrDCdza51U*Y_OzrtC+yu$fef93V* z3oEZ5g6E&w$)(@Uyr=#J6!{{*axwCK;frD9`)wFFW6}Eot)GAhKlvb#(@$ZZehTyS zQ<$fp!aV&H=J(G}VV<_npSI7Rw$Goo&!4u>f4^;?Kc!PTrBgbkQ#z$nI;B%OrBgbk zQ#z$nI;B%Or8h5~Hu+wePMdteX_N11lkaJh@BfdRd{5hRPup|fKss&DJ#EiDZO{Ev z+MavbSbN%7d)iog+E{zqSo{66vG%kj_OvDTv?cbmCHAx>_WNf`>}fOWX*26-GwW$H z>)E2lo4A?v&mP~*`b++1*7D`ete^9L`uFaIpZ@*H<5+*)$Ko$zec^Ycryo7~&PVsL z{v13jJGq3#y#8+x*5CWzS7JQ_vG_&q3tO zPA+Y|eXia@TW=qI>|pEd@4#HX4B6g!_)@_0`8}O4q1^w-ml4Xh?_P=W%%eN%Cn6EK z&Z_~VKYx_bNB*sk^|k}7SA48@LPq(35e8pw?BtT=iV>(+?k&Iekps(p86hFdk^c}{ zE}4kC+d73|My!5T>mA^=^N5}B9ZSr6L7tE)MFxT opXB`^Opm*9c^kIb`&Tk98NmFpfn2ADtex#{d8T literal 0 Hc-jL100001 diff --git a/tests/smtp-bug-5981/suricata.yaml b/tests/smtp-bug-5981/suricata.yaml new file mode 100644 index 000000000..68e84b7f3 --- /dev/null +++ b/tests/smtp-bug-5981/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - files + - smtp + - anomaly + - file-store: + version: 2 + enabled: yes + force-filestore: yes diff --git a/tests/smtp-bug-5981/test.yaml b/tests/smtp-bug-5981/test.yaml new file mode 100644 index 000000000..1ebf6673e --- /dev/null +++ b/tests/smtp-bug-5981/test.yaml @@ -0,0 +1,64 @@ +requires: + features: + - HAVE_NSS + min-version: 7 + +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 0 + match: + event_type: anomaly + src_ip: 192.168.1.4 + src_port: 3326 + dest_ip: 217.12.11.66 + dest_port: 587 + proto: TCP + pkt_src: wire/pcap + tx_id: 0 + anomaly.app_proto: smtp + anomaly.type: applayer + anomaly.event: TRUNCATED_LINE + anomaly.layer: proto_parser + +- filter: + count: 1 + match: + event_type: fileinfo + fileinfo.filename: winmail.dat + fileinfo.sha256: 5f41c213e35d8421647181cc9b8925a5b2ab34c23102907581214fd574157fff + fileinfo.size: 10451 + +- filter: + count: 1 + match: + event_type: smtp + src_ip: 192.168.1.4 + src_port: 3326 + dest_ip: 217.12.11.66 + dest_port: 587 + proto: TCP + pkt_src: wire/pcap + tx_id: 0 + smtp.helo: Percival + smtp.mail_from: + smtp.rcpt_to[0]: + email.status: PARSE_DONE + email.from: '"Xxxxxx xxxx" ' + email.to[0]: + +- filter: + count: 1 + match: + event_type: smtp + src_ip: 192.168.1.4 + src_port: 3326 + dest_ip: 217.12.11.66 + dest_port: 587 + proto: TCP + pkt_src: stream (flow timeout) + tx_id: 1 + smtp.helo: Percival -- 2.47.2