From 4c92068230323fa9d5743c8eec844f1ff6f19984 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 18 Apr 2019 15:43:17 +0200 Subject: [PATCH] Adds smtp rset test Resetting BDAT chunks length --- tests/smtp-rset/README.md | 9 +++++++++ tests/smtp-rset/client.py | 22 ++++++++++++++++++++++ tests/smtp-rset/input.pcap | Bin 0 -> 3652 bytes tests/smtp-rset/test.rules | 1 + tests/smtp-rset/test.yaml | 14 ++++++++++++++ 5 files changed, 46 insertions(+) create mode 100644 tests/smtp-rset/README.md create mode 100644 tests/smtp-rset/client.py create mode 100644 tests/smtp-rset/input.pcap create mode 100644 tests/smtp-rset/test.rules create mode 100644 tests/smtp-rset/test.yaml diff --git a/tests/smtp-rset/README.md b/tests/smtp-rset/README.md new file mode 100644 index 000000000..9ba2f0ccd --- /dev/null +++ b/tests/smtp-rset/README.md @@ -0,0 +1,9 @@ +# Description + +Test smtp RSET support. + +# PCAP + +The pcap comes from running postfix 3.4.5 as a server and the present dummy python script client.py +The client sends 2 mails (with BDAT) in one connection with RSET in between +The point is to test that Suricata resets its smtp state diff --git a/tests/smtp-rset/client.py b/tests/smtp-rset/client.py new file mode 100644 index 000000000..3d51434b9 --- /dev/null +++ b/tests/smtp-rset/client.py @@ -0,0 +1,22 @@ +import socket + +def sendandrecv(sock, a): + sock.send(a) + sock.recv(2000) + +sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +sock.connect(("127.0.0.1", 25)) +data = sock.recv(2000) + +sendandrecv(sock,"EHLO ehlo.fr\r\n") +sendandrecv(sock,"MAIL FROM:\r\nRCPT TO:\r\n") +msg = "Message 1\r\n" +sock.send("BDAT %d LAST\r\n" % len(msg)) +sendandrecv(sock,msg) +sendandrecv(sock,"RSET\r\n") +sendandrecv(sock,"MAIL FROM:\r\nRCPT TO:\r\n") +msg = "Message Two\r\n" +sock.send("BDAT %d LAST\r\n" % len(msg)) +sendandrecv(sock,msg) +sendandrecv(sock,"QUIT\r\n") +sock.close() diff --git a/tests/smtp-rset/input.pcap b/tests/smtp-rset/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..5f44e5096ce977f565351910ab4b7c88a8ce43d0 GIT binary patch literal 3652 zc-pPiPi)gx90%~%LZ@O8(XL{0IUwK04vp;4rXfP1PVBVanm>!(6(*!Aq>mA3V`wN) z5Ne0u2-=R5CZS1FrCkP^I80M7s1hI;3^Sf9 zzVG*(U!JZ1^j$aEO57JaA6WVMFrmFfgL6E(;m`>g!}r*Gge()%g~$3eGPwHk%YSjq z&F)(5%`kj->w!PJwruI?>gp9fNbKHOSG$>+;4sPH`nBm7*?r({+8(Zq}YJmMfBOW~{uFx2va*md}L*obn({*+B^?ME|`hI!vd&p{Ld~Xh&9qc& z%1q@n-DEdnNyEw*8J%5eCi}jWnwZLdQlA7@HW1_8ze_!^I(+n=_*G~KoFy2)VBZ8wfob%3>OOdb=mZjVYR(!k~sbAq7 zXKLKVPfx$d4M5h%O<8e{^XRPAcz-;OBZ3q4I!R5nBt?-XRnubW{;u&>GB*IS)l$hu zy4T>OV0_AT4g{pL8tL|WoeZs3i(gPlVbOYs&`GqJplEB`1p*IY{cs%G*1=6a)Nn4M z!?snfZ*m+fcx34`txBgB=^~w#idAV}T32EbSy5Frs>o~s|7;g{cYX#Y*I)s^H7x)q zzKG6;A%P@de8P3&Z5We$OTCE$S>Uw;BdAo=7`{wz0NynRcrj^E!D)FkSgYFG)T&PQaaXbe@~xmsu7IPn@tcksknUC^ z-AK!$;j}92tj)q*?JV5wpm1f8yIC;@x7lr0%dNkvIM%SWS*fzFtDDWr>9*g9+yau@$DTCmIqe$MxuIX8lwzdCjL{hj_@-1WHu J);+)N`yczVE64x< literal 0 Hc-jL100001 diff --git a/tests/smtp-rset/test.rules b/tests/smtp-rset/test.rules new file mode 100644 index 000000000..72df1994c --- /dev/null +++ b/tests/smtp-rset/test.rules @@ -0,0 +1 @@ +alert smtp any any -> any any (msg:"SURICATA SMTP BDAT Chunk len exceeded"; flow:established,to_server; app-layer-event:smtp.bdat_chunk_len_exceeded; classtype:protocol-command-decode; sid:1; rev:1;) diff --git a/tests/smtp-rset/test.yaml b/tests/smtp-rset/test.yaml new file mode 100644 index 000000000..19381fc43 --- /dev/null +++ b/tests/smtp-rset/test.yaml @@ -0,0 +1,14 @@ +requires: + features: + - HAVE_LIBJANSSON + +# disables checksum verification +args: + - -k none + +checks: + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 -- 2.47.2