From 7a82af2f31b66b2446ec2dfc001a4dcefc674839 Mon Sep 17 00:00:00 2001
From: Shivani Bhardwaj <shivani@oisf.net>
Date: Tue, 9 Aug 2022 10:44:35 +0530
Subject: [PATCH] add test for broken smtp url logging

---
 tests/smtp-url-schemes-bug-5174/README.md     |  17 +++++++++++++++
 tests/smtp-url-schemes-bug-5174/input.pcap    | Bin 0 -> 3468 bytes
 tests/smtp-url-schemes-bug-5174/suricata.yaml |  20 ++++++++++++++++++
 tests/smtp-url-schemes-bug-5174/test.yaml     |   7 ++++++
 4 files changed, 44 insertions(+)
 create mode 100644 tests/smtp-url-schemes-bug-5174/README.md
 create mode 100644 tests/smtp-url-schemes-bug-5174/input.pcap
 create mode 100644 tests/smtp-url-schemes-bug-5174/suricata.yaml
 create mode 100644 tests/smtp-url-schemes-bug-5174/test.yaml

diff --git a/tests/smtp-url-schemes-bug-5174/README.md b/tests/smtp-url-schemes-bug-5174/README.md
new file mode 100644
index 000000000..121d7e26e
--- /dev/null
+++ b/tests/smtp-url-schemes-bug-5174/README.md
@@ -0,0 +1,17 @@
+Description
+-----------
+Since the feature for extracting MIME urls (ref: [Feature #2054](https://redmine.openinfosecfoundation.org/issues/2054))
+was introduced, the logging of urls in case the `suricata.yaml` configuration was not updated
+has been broken (ref: [Bug #5174](https://redmine.openinfosecfoundation.org/issues/5174)).
+The issue happens when both the `extract-urls-schemes` and `log-url-scheme` settings are
+missing from `suricata.yaml`.
+The behavior in such a case should be fallback to the defaults i.e. only extract the urls
+that begin with the `http` scheme.
+
+PCAP
+----
+PCAP comes from the existing test [smtp-extract-url-schemes](https://github.com/OISF/suricata-verify/blob/master/tests/smtp-extract-url-schemes).
+
+Reported and fixed by
+---------------------
+Eric Leblond <el@stamus-networks.com>
diff --git a/tests/smtp-url-schemes-bug-5174/input.pcap b/tests/smtp-url-schemes-bug-5174/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..bc1daa8915fef05a92a46edfc72777cb916b3f66
GIT binary patch
literal 3468
zc-p0x&u`mg7{}jE2tlSv&>^t_LXRfaA+b2N)1+<Mjk<}Gc+GD+C1D!EP2MD46T7pW
z&`3xyK(J}3(zF9dv;z`5b>hG-oS3+v0b<$}i63YFfStzUA8WSMT#{FI^4jm?&-?ZF
zecsphgS+3|JVc%$kISP+gv{XoPrv{D-se9aCULAgJK-0rnIvf!7y0yaL?q-*Cv5fE
zzdlhjmAW-B<M$tu<B=O*mYm?yAt3FqJ<3-<KS6P?_gGI;9D+k4$L~L!yZ6QyNGg|R
zfxNang_bgsu9RLt%F0N~9s>4)wA}P5&yQ)j;%YetB>ob1&9k6rGMCPt%QKf!b|yEh
zGYz8$d97g@meI07l=Dgn@`98DnVJKwK~KX5H7(816A))uCc3bMKTEMCFsa%cf@%ZE
zef>1B9Gp{i;8~6ZE}CGu#C#Oq;#ihF5}L+@lQWJ9uihP5DIq`#qAdFqBanh7eD(t&
zVm4QVPG!q#tPNN}sTDkVlZ^Dq8H6`odACPn)OG+tl)6tT2U1Yp;mdeWF*dwa(K;+s
z6LTeLp>j?ha_%5yX}4>@d5&dxKFV-QQ6?I@Fom~G?3#DQe>4*RHpV*pxcC{)qx?A>
z6VE>ufB9oie63a!j)a_=EWImwHBqS)yjn>ri8-kt6*As&O7<JXLRKgw#gwcFN>xr4
zQ=;rOEN*IcPwP?dXiX{zm3m&v`{bHe*7lE*Pn{nxsROM(N2n@U$jGu#lAxgE@{lWL
zq{3Kq`oPthC(mTv1E@*U4a(fIGbpbNMhSlb0T+TOMW1p$kb;Bq{#8QU$(*hf^9fkV
zG<p@KQ?A<5Dxa*Tt(>$YI>~i*@<}kaj2&KcB^M{31U>~Nvx{yX0ncy@3;!pW!6H+=
zNlhrOPvQ49?7HiUe|_Y)f&e9mlJ+UhKnjZgZI_TrvZR1gM7J;P#I5qGP?^tJ8?|X|
z?qWZ;T%}}Wvy62)h$8wF8c0E<p)(_!V{ky}6qeq?Zmv2)kN-2W6rW-4et^RGln(<b
zDAdjpk`feQ3hS;SZ_icq$H=-S0-8aT4WFU}Qc%&q_X&x{=0Ubq(}td^bwSg&`}Q(m
zLc#}{-GP;4C6_+Scz;uPxrhDUah30ly!;+xoqe1#^R2%|9}1+P^4s4Kk~DOi>ULNe
zZqo$VbjOZtcU4VahDJv<Eoz@R(YL~?)zGvPA!nft??3->LWcG)H&xwgQ8O&+4Wp^)
z?F1~~N*zj@MlS(d>qYUMQhi4rG*;D%`9ZgAamD$n;G|YaF%ocTp|`!d-jAniEj`yW
z-1BmO^CE572x5CQxgIa^Ls%cAA<8z^hSnlq&p=T!w|eS&D5P{W3vjbL6gCZf4>4M9
zy+<ueZBqt1w!NK*MB0YY?o#*piP0)_HGONp(WaIiwlteEhS`p6cGXUV<D(HbQa2E1
zf}#5?3*%dAgKiqe);_Ll8T-tZi{ut~W*)aihU4eQV~&KFDYE!Z<i>8q$%SK)Q5IiE
z!1W-?r#|IWAO&;bdhPK7fUkA1vLW(9RZ0o<bS&IWmV4YzE3?*28GJ6=*{r2kgWem@
zLb*@-wCT-(mSIAZcC`UDhm)uLZe;G>safYXUw$z8^5IkPHn(R9DOV+Ba^p|UA}{7D
p`gQWJ0-y3CQhu5It6(>Vq@%8u=_!tudy`Q7J35M_xT^&z{{i+~x9$J{

literal 0
Hc-jL100001

diff --git a/tests/smtp-url-schemes-bug-5174/suricata.yaml b/tests/smtp-url-schemes-bug-5174/suricata.yaml
new file mode 100644
index 000000000..c8b6678a5
--- /dev/null
+++ b/tests/smtp-url-schemes-bug-5174/suricata.yaml
@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - smtp
+
+app-layer:
+  protocols:
+    smtp:
+      enabled: yes
+      mime:
+        decode-mime: yes
+        decode-base64: yes
+        extract-urls: yes
+#        extract-urls-schemes: [http, https, ftp, mailto]
+#        log-url-scheme: yes
diff --git a/tests/smtp-url-schemes-bug-5174/test.yaml b/tests/smtp-url-schemes-bug-5174/test.yaml
new file mode 100644
index 000000000..b9e4b314e
--- /dev/null
+++ b/tests/smtp-url-schemes-bug-5174/test.yaml
@@ -0,0 +1,7 @@
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: smtp
+        email.url[0]: "test-site.org/blah/123/"
+        email.url[1]: "google.com"
-- 
2.47.2