From 3d4e1b1a8a75290a78bdad414ba27245e56c1e07 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Mon, 18 Jan 2021 10:41:12 +0100
Subject: [PATCH] tests: add bug 1045 test

---
 tests/bug-1045/smtp.rules                  |   5 ++++
 tests/bug-1045/smtpsuricataflowbitsFN.pcap | Bin 0 -> 2476 bytes
 tests/bug-1045/test.yaml                   |  30 +++++++++++++++++++++
 3 files changed, 35 insertions(+)
 create mode 100644 tests/bug-1045/smtp.rules
 create mode 100644 tests/bug-1045/smtpsuricataflowbitsFN.pcap
 create mode 100644 tests/bug-1045/test.yaml

diff --git a/tests/bug-1045/smtp.rules b/tests/bug-1045/smtp.rules
new file mode 100644
index 000000000..33bd3b1a6
--- /dev/null
+++ b/tests/bug-1045/smtp.rules
@@ -0,0 +1,5 @@
+# by rmkml
+alert tcp any any -> any 25 (msg:"SMTP EHLO"; flow:to_server,established; content:"EHLO "; flowbits:set,smtp.helo.found; classtype:attempted-user; sid:1; rev:1;)
+alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established; flowbits:isset,smtp.helo.found; content:"DATA"; flowbits:unset,smtp.helo.found; flowbits:set,smtp.data.found; classtype:attempted-admin; sid:2; rev:1;)
+alert tcp any any -> any 25 (msg:"SMTP Subject"; flow:to_server,established; flowbits:isset,smtp.data.found; content:"Subject|3A| test email"; classtype:attempted-admin; sid:3; rev:1;)
+
diff --git a/tests/bug-1045/smtpsuricataflowbitsFN.pcap b/tests/bug-1045/smtpsuricataflowbitsFN.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..9e1f279bd805340d415794b4c38c3d6759a417ab
GIT binary patch
literal 2476
zc-ozoeP|nX7{`B2W0^NHHbGhcnZJL8l$rDH^46xUG)*$S(zI!Fo%N-|G`TEilU#SX
zc8%^Oiq;kfGW8#ov5GHy6O=NQf+$o_s8cpDD(D|82vZ7LCpcgJh|hDkUTG48*!D-#
z%kMtV_xt5}ez~tcS$xe#>}2DoQX!-XUZ4BurQx6Fc91@Jk83WpdgO`9qif3Zw`aDI
z2q9hNfgaM+a!ecj_=Ni5(a7M+GHKmDx9&vBg6)pW6FUg8*>AaMw{2s7<L*l1^`_=#
z2Fc0FCfQ_~e3QI5*F*d*=i8Brbke%Ae3tqBD$v^&ZmU#|u9#$?H6wj~>btX80m%zM
z?geUZJ<Xo-prN@~rMV60tEHW!<?W|IW0RpbkJJ-D{M1j#lf+y#S__N6pw@G*RB2sB
zYH2r}T{~bBf%X|v1%abEJ;C#Wm(3-VEURb&TTEnBl})NS8i_}x7=19F(<ft^I#Z+t
zS({dpGS%cns_0-)(BFR2$YRW}I8$r!1~n}1u`EubC?uY0CuEG6tA;pO9x{lJ)FtjF
zE!VoX5+nEb57I))CHQ=951Un!iEK&*uX$7cU*8b&A~9D@p3hwT1M@s{d~2RJC=?81
zp2yy@@?6J)f|qmsd!7ykKX309rKlK<nE%Daha%L&cX-^KhchnGm>7%niv!}oeWt`8
zz9r;YVy>DzisfM=556joFvvV)<dL@WD51<~Q0%Ash6kg8E-g2a%l4S^(%QWgwRC$0
zuY(y5#Uv^X)@*Sw;h+>WW!)KXBI6)wyk2tBdnF?|XH{~CK-xSeXMbuVx$k$PG&Ek2
z^C?-QHM-OZvtr-1rbew6H-ea|3Su6rp2Su=|DzSe3s@D2=f-TL0JK6q5Ayq;qlY&y
zRe3nM;o+Tr%Y%ee^q|Q}Wm1vzdVL#iuZJE~X(9syWSY7R5*nD23{!d?Q_F^_tYzwD
zl!3%I4%o=3jToz%XzMGFAo0jpT_W_$PyVgMVL2%)({d_6(;6HJ#sFp1f=->AZy)9b
zKg+={Ki1}8ZXGYy9XRTY!RE9w(?$;~dgkWoqNHfA-xu}^Jl7$>&1to^13IZRCEra2
zA01Gqslf4W%KHLtF2Hxty&TVR)ESCMP&%B@<-mX4ybt^Ys8Nd6Hu|V*)D<@x^5&i%
z%Tr2DDdXx4>~k=Zy7BSGy$&WmHU5~K)B{wPAsiVG0tXY73x&i%*(HVpv@4OFRPr(#
zj`Xqu%Rz2#I5K>^&&}}y$98z#-g?zQ)d-xxuHZrFuK*1i5Q+fm1Qg|YpC1f!?JoEe
z++Y#U8P|SUD=2C{KzSBUn2?&+;dYl)oW!UiqtZRG{-8L}Ng?@MLhnvz)x&bClO{6>
ztsv{&BXL(S9uh?d<6u|^Gc+PfX6Js**~t)e?NGhp2`%lx;d%Yls^MAQK6m{z4$n}x
zH9VKF*Kl~$37S&0l$<pS{OPeb8jbz+zVWZ0h9Xx=yGYBKcdbVL0E-~86tFiqvzAyx
z^5a#KuNabB>FgIiOY)b7WPzuRPJ67l1Qp>nW7T+orxWxLFIRiOr;`{w231xGLCOOc
rHj}8)?O8fy=-ykU`&S?>ly=eC*>y|z8m587;}`yit_4fiRYLv&I><5h

literal 0
Hc-jL100001

diff --git a/tests/bug-1045/test.yaml b/tests/bug-1045/test.yaml
new file mode 100644
index 000000000..3989317a0
--- /dev/null
+++ b/tests/bug-1045/test.yaml
@@ -0,0 +1,30 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+checks:
+  - filter:
+      count: 3
+      match:
+        event_type: alert
+        src_ip: "88.191.140.111"
+        src_port: 51906
+        dest_ip: "188.125.69.79"
+        dest_port: 25
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+
+
-- 
2.47.2