From 60b08faaac918e026dde5587695f73d6a1755cc4 Mon Sep 17 00:00:00 2001
From: Thomas Winter <Thomas.Winter@alliedtelesis.co.nz>
Date: Mon, 15 May 2023 12:03:08 +1200
Subject: [PATCH] smtp: Add test to match on attachment with md5

Based on the filemd5 test but using smtp attachment instead.
The SMTP transaction contains the EICAR file as an attachment and
the expected md5 to match used is the standard md5 for the EICAR.
---
 tests/smtp-attachment-md5/input.pcap | Bin 0 -> 3007 bytes
 tests/smtp-attachment-md5/target.md5 |   1 +
 tests/smtp-attachment-md5/test.rules |   1 +
 tests/smtp-attachment-md5/test.yaml  |   9 +++++++++
 4 files changed, 11 insertions(+)
 create mode 100644 tests/smtp-attachment-md5/input.pcap
 create mode 100644 tests/smtp-attachment-md5/target.md5
 create mode 100644 tests/smtp-attachment-md5/test.rules
 create mode 100644 tests/smtp-attachment-md5/test.yaml

diff --git a/tests/smtp-attachment-md5/input.pcap b/tests/smtp-attachment-md5/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..16375cfa351ae28d0e0dd31bffa14a3c953e5192
GIT binary patch
literal 3007
zc-pm=e{2(F7{}jsgW=2?K(Y;gBrgjlL%gml?FL;7E!TD}tgLHqbBsxHZEx#If8}}|
z8;J>jslmTYNCZvDAV!8Uf#44mbpo4-sKg&282zV2CLoGLB*A4FKJOj9t;gj|OzhTe
zdAIlTe81oKdEVWHiQ@;2s1nV+Dv<%ce)Z_aL|u~!ZGxZ4JHjk&9NdM_xwVgY79k%(
zPWp-)ZCH5zu~TFHhPM~@8}~P$<+f)}3=+nuar)Mmdk`{KE_k=nxTyN*qQ=u?-B3}n
zfRK;QBg;&gFOv~+Blp5uM5u(0mhW%){Os3ppeIL{&c5{H>vQBCx$B1sy+nSa*@QL%
zbEB4K8$BgyZcu4X0zI*Nan%o~7Bm_py=MrS5QnTLGz7FEEv?D;`$X&UCsbM!gu1)F
z>dqfmWa53DXRKBWPVt$-a4b8FDGK|j5X+|`T#6mRJyvrwOBSP?FvQ0>EO2aMq^6pv
zn6&Bo`bF}!Lc`ZS@OA0lWyRM-$rmAZ0j*1mNYhs(;u1|_ebuEG2g->7Uq`26OqTqR
zeNOTN!P(*`q~OA;;Pye0ogn$ny?2!0#z+xDY_#jOP5c9i*se*0qj3LSPPE!BxO20t
zwXxNNcwq8cVQizXkubiys|sT$&__ua6DP{T7z=rV9oQe~3^|;G>=2(Z=aWJq7UP5w
z_h1^1+Z@lP*UN=pY1Os#p=8OgvNQ_C4?y9+++Qe`j;Jkltuvt*Fk@Pl82Y+oX;x+F
z0MN&XrNi}#rAb1M&|wBMoepPnD|Bg#d7ag4b(hZjzL!_m>3TUSdGV>dj6v0LsCe6b
zsLadcd@nDznNR?j0WB{M`d6t}>r`IGfqsm5*?O_ui`T<=WbSR?3cwV!6er>zNs1p=
zDLw}5Nuv1RGDY!QguTXY!+DVvL`)7D^O;;hB;(9w5_l&sCb5%_bokes<!`cryDr_v
zyCI#@9hI|5P*DU07YBY;oP9=Acv+EiV86gWjjhetlM}GjVqJqRc1N?tv8DyDw!lj+
zJp7aHbbc&Z->kA;gyJ_~I{%zKr&vEviWB0SMHAX<MABPr#rOjK8?o}uS(TL=B`b9g
zD^_k2s$a;a9k`v04~~|`2kXuglXYON_N=Ln7GlqFanXU9B%jCd$zqYqi<l$3YpO$B
zKF<zvRM6|d&OTp|-4%$mL{dpx_f~swewT-WAs^Ml33)!7fm&wBlFnvCE+bORNDiV;
z7g8dhgBEB?^TS-C4ac&DOoA0gTn(!??cfTj-e@S%XUqD$T@7=4y?j2G&GVu}<ug!_
ztEna*6s6v!E+}%tVpA@~@|iXqPqIRu6I}&yfLi;nbnPhqkD9C~vhidZ*4yv^pW-rX
znsfPrv?oF_P@3|?8mZiC?_3dn((MUvv-OAjdhNEx@b*=$G`*_z`IYjYM;Xr+uP5TA
zJX@GxPcYIQr5In7q5Q!P--?xi)q$t9^ixz#wOQ_Z%VpiJ|3vEgO%HbcNf&f|aVD;G
z{RPsegjl?+d+Ci!M2{x1zN+XtQcj$I>6xc=FTLNTOK(~EJe_m_{Ti7k=8!T^w+Owf
zJIKh~rYYS=iJKC4xr$3m+$B{PXZp*zg!tZ+ZU&!98Msv$Tm!0?WZ-;F$>4iJwZhd^
z%HZ^r?s=Wk{EvT2A}@jS3Y3!x@yb;bY5`V@mitEX=(%BGojO%7sUC)><cfBLz6HuN
uHAaPEK-&?jE$Q-~k|_pb#WdMfgx~FjoegN(AUy%gYcqthXCCFhY550A`)(5e

literal 0
Hc-jL100001

diff --git a/tests/smtp-attachment-md5/target.md5 b/tests/smtp-attachment-md5/target.md5
new file mode 100644
index 000000000..b22bda53d
--- /dev/null
+++ b/tests/smtp-attachment-md5/target.md5
@@ -0,0 +1 @@
+44d88612fea8a8f36de82e1278abb02f
diff --git a/tests/smtp-attachment-md5/test.rules b/tests/smtp-attachment-md5/test.rules
new file mode 100644
index 000000000..8497e73a9
--- /dev/null
+++ b/tests/smtp-attachment-md5/test.rules
@@ -0,0 +1 @@
+alert smtp any any -> any any (msg:"test"; filemd5: target.md5; classtype: bad-unknown; sid:1530024;)
diff --git a/tests/smtp-attachment-md5/test.yaml b/tests/smtp-attachment-md5/test.yaml
new file mode 100644
index 000000000..3c17b1b58
--- /dev/null
+++ b/tests/smtp-attachment-md5/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  features:
+    - HAVE_NSS
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
-- 
2.47.2