From b7e9ebfad43073e2f18f58ced682521a2c75c730 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Fri, 24 Jan 2025 13:37:59 +0100 Subject: [PATCH] detect/smtp: smtp.mail_from keyword Ticket: 7517 --- tests/smtp-keywords/README.md | 1 + tests/smtp-keywords/test.rules | 3 +++ tests/smtp-keywords/test.yaml | 13 ++++++++++++- 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/tests/smtp-keywords/README.md b/tests/smtp-keywords/README.md index c04054857..048579afc 100644 --- a/tests/smtp-keywords/README.md +++ b/tests/smtp-keywords/README.md @@ -5,6 +5,7 @@ Test smtp keywords # Ticket https://redmine.openinfosecfoundation.org/attachments/7515 +https://redmine.openinfosecfoundation.org/attachments/7517 # PCAP diff --git a/tests/smtp-keywords/test.rules b/tests/smtp-keywords/test.rules index e8f34c72f..c2614aff5 100644 --- a/tests/smtp-keywords/test.rules +++ b/tests/smtp-keywords/test.rules @@ -1,4 +1,7 @@ alert smtp any any -> any any (msg:"SMTP helo GP"; smtp.helo; content:"GP"; sid:1; rev:1;) +alert smtp any any -> any any (msg:"SMTP mail_from"; smtp.mail_from; content:""; sid:2; rev:1;) + # signatures not matching alert smtp any any -> any any (msg:"SMTP helo not triggering"; smtp.helo; content:"not there"; sid:10; rev:1;) +alert smtp any any -> any any (msg:"SMTP not mail_from"; smtp.mail_from; content:"spammer"; sid:12; rev:1;) diff --git a/tests/smtp-keywords/test.yaml b/tests/smtp-keywords/test.yaml index 6b8f28471..d0c25aa97 100644 --- a/tests/smtp-keywords/test.yaml +++ b/tests/smtp-keywords/test.yaml @@ -15,4 +15,15 @@ checks: count: 0 match: event_type: alert - alert.signature_id: 10 \ No newline at end of file + alert.signature_id: 10 +- filter: + count: 1 + match: + event_type: alert + smtp.mail_from: "" + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 12 \ No newline at end of file -- 2.47.2