From eaf151ca3aadc1cdadf13757804f43f65187bbcc Mon Sep 17 00:00:00 2001 From: Mahmoud Maatuq Date: Thu, 13 Jun 2024 22:37:09 +0400 Subject: [PATCH] imap: add test for protocol detection ticket #2886 Signed-off-by: mmmaatuq --- tests/imap-detection/README.md | 10 ++++++++++ tests/imap-detection/input.pcap | Bin 0 -> 29003 bytes tests/imap-detection/test.yaml | 25 +++++++++++++++++++++++++ 3 files changed, 35 insertions(+) create mode 100644 tests/imap-detection/README.md create mode 100644 tests/imap-detection/input.pcap create mode 100644 tests/imap-detection/test.yaml diff --git a/tests/imap-detection/README.md b/tests/imap-detection/README.md new file mode 100644 index 000000000..294fe6089 --- /dev/null +++ b/tests/imap-detection/README.md @@ -0,0 +1,10 @@ +# Simple test for imap protocol detection. + +## PCAP + +URL: "Pcap imap.cap provided with redmine issue https://redmine.openinfosecfoundation.org/issues/2886" + +## Related issues + +Ticket #2886 + diff --git a/tests/imap-detection/input.pcap b/tests/imap-detection/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..517936db75a11c72120d26685fb9b70df7a1bc85 GIT binary patch literal 29003 zc-rk<50qO~nSY(OFr7MBcSVZ`-i}JAwRwGil1vh&Wim;olj$UrCh0%gQr_gPt zH@^2WGbxro3MzJ?t}Ju`Ie>!esw;x5R6HyKm6fxC2e79{U0u-?aZsV`3hU8>``!EU zW|B8AuQP3}pp!Ny$xHJ4zTfwK_q*TylRMvg?7lmjm_>|r`{N%OW&u17T=;>&U~e0-LhSon>P97Jb-qQ&ZZ=87|}mk26B zXAUgeu==RJ2GGSz|E4Xl^HCGo)N<*@X2uUNekU#4C!>pZCzQ}+4@G&<5oP(liD!SnFcJqh6bYxo-SPf-cDt$FcQ0;c z4gusLC!>9#jT&wL&um7!9I#_xv-Xa)WC;Q~rYt*?dtO`O=ILI_S>@hL)S_lQYJM44EBECQtBNr;*% zt#h_4WzL0kNA7l73tHPLt!u8d(MkdSCxO-ve{g`%;zbnO28w4|Tj+~)ED}p*$%~%; z@P-U9&R|?ZJHsV?9BWucJ9`S!@GyB2#gr&K(WD_`75NTWVMi*KPK1*HGFO0I7Q*Iu zbW6BD9wospaKVmUsP@X3R48NCw7W<@pN@s2o~>zUYP&2u+1(JmbSd*au+sOO-0=8h zA9cfOn;Sm4`e@ll-0=LM=>{+AiDe_bh!26K+D(4(B((5kxIY@s#!$K^5)cG76Tdiy zx(A}$*;FjHaYrxc7fZ7}@mPNp3_?HIlO9N*%;xSsqHT5nMIs2Ae7E=QB5KJ1xt?rg z6ii^?31jVOK~hQ=wze#R`asjMv93+gRZk$`3wn4+ORX(54+tmWdan=?cqiA3ypMmQ zxSlA<{YAMxdWu{xg6l~J`PRXu%p}xEG>G-Cvwr#2+g7D~O3XW?YA+sAdsyt8yNnsRYGGcfJqG#)KfJTzoy$Fv#~ zzLSUvpFhMo#{?hjIDIj}&nhN--Vn#zVj^4CN~F#9DMc`nL0>ft1^~l_0@TUSq;s^- z8P(K5=!0}*y)EW&R}(FieBU z@&_X^kvnCPbsT$DL&|@mA;ohcC=|GWV@N?JJY6B>6@!g?BBEqRNC=`xCOZ{KeNyg& zWn8F~P;a?pfNk>d5b*BFcjZ-sSe}L9Rc%D|jLRX^r;cEqyhER%1o@m9KDtsE!_S5@pw1an}15sQQx=fM|~c4_0g+VrIw8!e(N91vCx`Z-71-H(s+Ks zR>@qo%8KXfT4C&H@hz2&A|B?2dNWM3s_S3ZpgmF%>m!n)Ltxg~O*bIKxHbo`A3EIn%(_7-3}VedX{o4acrWUNGOO4%pEy@JkuHWFdRXNa5N3NcgjUc))cu*$3>MbVPkzw`s&uoIgAm44ov(Ks=11PCQYP#wvAP z0w6+htw8#)K13h-qIzA}I47il52`d)@bRL+58MPqwnWb1R7|N)m z8EcEm1ePy^>VTL-tE_9|JiO@Ryg`l=Iy^zIAbS0R=wBBSI4>WV9ufvmqNV$wr8}4Z zfdCA@PE%7S9k#u#lSsVl({44$qcjqqx78rmuCOBUiElDYeZ~+%g74I1jGplj3ZoJp zhe*tqkQn0qX42?~3Pm!TQ^qI{!q{R+!37z07WASngG5|SHCs~Z$1D&4QRn{eY9^9xDq0K{M*9w(J+3Wa8YZ@<-*WkMq6j4XvvmhTs zMJRRUDj;E4vIwOWNGVn4?a}jsm-l(0M0PNyrqX&wR>#3co#rc96rGu;!^vozG%RR5 z8Tj-NHVmxk$Ir@9=&3ho%Fqx|NFO#xQ!aEt{h$_SSgbFeKp+Ps3?xZ9lu9Go*epbV z0mGUMjl5GL53-UZ`aSsAX_HJE)5LE}6k6_g<|MwUo4 z=1XP0q}!y=>{CunZ;(}s3WP!~uL1i`LoGrO7Iji-9w#>of{ztCIynD~+$^44ZVqsy zoD&0LH8+c1ALQl^Kj)jy&5%P+G&zeQP7Ddo18FbsJzcq32+m?|hA1n9yeBm`Gn`j- z1Nm5*`Jer?>lijk$FPTIj$yAql3G^S*?Pzv!+s7>UIu`doz@0_`j|Nz|AqSgxvYx*l3MW*+p6e+1C|wEzk{xd@+Z*_yuOgvaRki^KH>DO zjd3o+kvb($a%n?@F@}NR!K0LPLxS9?4x#)g8dtRu-CQdBlP`?%!Beze!JqJ=DDQ)! zs)6H0Q9OO?;X!T|2@sU^!jRM!05N$O{9~vkQg{swY0%Gw3sMPuv4O3y7#u&CH zr_s1#}nx&Mv%pXpXkAG1Qx+ zh@^v=Jh{*?thZn&p`km~Astpu(YjltBO37gPTA_naT!s+o4cY0HdcLKyX}eu>hI23 z=oapqXt+NzGu&_d4GH((e%K86?E4ln-2l+-gyNk{Q zYyZlHOp0uEaw>6T7C4U zX3Bdf!)yVR|2@LE@y=3|`y5e#_eah*we(kc6U6hs&$#eD^B%(cpW^krZ)yhA9^n1{ zZD(7EPP_^JPtRN6#(Oi>_#vCdJs_iv@`kT%2b2R(FJck^kZ?k|XmSfhx!Vy1c(40~ zsin120sXF-QCeFF_?FifF>%0+JDK3ZUTT7&l+6TfAYd1m;H;QLYq+Vd+(bqM_?qU$ zE>kpd3cULs8?cW8FI#ce;`*Y#rdcm5aH|k#m3+;c7eCjGT$3w|KIV)Y^EewhRKxVF^ZY5H7h@W>Dy( zs#+kb@qT|0dh#JvtCmJHu}!UO0cR56ga!oW8q2lDtra*X5-$rb^V34 zG8+~9Q?e8BM9fo786gNTxU|hfL}4v78`*QOSWZR7KF1MFU6D*O|8HG0e;>{Km)J7@ zt-rJ~{{u;eneEsJlYtJ@it!9eW>HF0$x3vQZ0g#espV1BSvQ_p|0WxKwYJ1jUK+zl zDdh@f8O!EEq*8)MOhS2-%!`exnzcukT&~Ux5Kt2EG9Hr31*5fvHr|ptPS%Ub=T>G2 zGQ7YOim?&_?zmDYph1jeMVEk{Y|>N9+7u>H$^5q-ArH9?XbP~D3do8(awBh>hPG}F z(;ehP;6H=TnP|E!Rp=5nE)HT1!mYZFO{Wf13G!iLATrrpP{3$Q3(_OsAw1(bk$8&r&awWt2qSSh*UPzqGTvJFlc4U zmnF$CNHEI;t!i#FcF5)l9k4L{V1FhBgCt3#Um1r-OM@&FEhGAh>MPsL-BtBB%W)2d zuD_YiL$2;4+o=Q;PR#ta>CJ|bVG~v7z`41QpgA=~y9@0SHR3TApuepvU_b-=A4TMgCWuD=s>$8`$*<* zTe8?~ytCEmH>RFltB>A!8`)s?(l&Fv^9SfZo?F1s`;6alJ-d`pBt=1k>#q1RALI!PTG9pAec%@&Kti$j9s)+N~Du(4oMwW_8hUu&4Ae(3BZ z$Ph)PAZhSul&e3Pps8=PtmX2aA-!7el<+uBI_BgtbeTmdmsd(yXH6n?ic;-pr-Lch z2g}e5ER7M0LS0l*%VrNHArkd@vTR3cWg{;c7rC;T%2&kUdpcdiW}DM5T1nV^wwDZ( zfAKprZ0=aMn8^Y_)@dZ$(@(=@FjgNnpY656=At6QR3~scoF{OIj2l1Us_AyB>DL`J z9ip24kYRQK%9V-5ZW9?7Q@tz@6UzOmUK{rzKvjTy zQ||*7qSHhM!M`!>s__o0@fU3xDZt>O4=B&F3Vsv+t z3-9r-5Z)bj-nRhiRls{P^)Q5ogmp3vNVk6%2sO#AodmJe`69Z^Wd(PL`aQNtT^OI>(hL3yvW^G*Tk5#W7O?{_T3M!c`s z=ek3sL^Zz4rtuMwv4`^B%`h^cJRNskDpM)SK}Qr)w;)qXtI{Hf4<+1|%I=`N&$9F0 z1E|jd?@w&F&q8$KP4L6lyDpWDQjI@j)A%`%aW&-~WSC(<+4j;BMg{=c31!QqMo~0J z6ySaEQB%tx%47%9G2}%bpo`dSCf*-QW~bJ&s|Qv<*-T{a`B{t0aVUR#AF<4>w)*?7 ztB-AB-wKx5x!YsO1k0FWYfVE09RBYX2I>HMpF!&4Nu81^){|o23PNtDjraFdfWS?W z^4LgC9mHXs%~2)B{>qKm+bOYI?8I&d*C>2;eI zhE^ZF`v~#E{V$qc5T{Rh5#Cs*ybzA<54F1NLG;jQ*eBOV!`(-YZCbl1wfsH9#qNeD zv&^5!@>h2v%lt_!f9WT&*j-LCNZ%u^F3XiH%^-WfRG&fq`DrVIJPQ?FY5oM3`4d4Nm^XFfj?D-cY5?^}Utp*WjB#zl?kgq>tMPm6* zhM7M_WBwG4*`A^ioO5RXt35p9&3j-)qr+0>4~KZe91cM;|9SuJI)=xTkiNDvjTkNn1u;&5sWZ!ibB>5v} z1htMi5%8(U7r8OtM|Hl@rt^6qBuSZzCi6otx}sc8QU1XZm?+=>)gqU_vGhqw z_WVn2WRrk&ernl!lJDJR{f#ApHTkj|*56aC^PI8X23R|5vCcT=%I*rv?gksX^8s&w J+K6YE{|7!@iN62< literal 0 Hc-jL100001 diff --git a/tests/imap-detection/test.yaml b/tests/imap-detection/test.yaml new file mode 100644 index 000000000..c20df3c98 --- /dev/null +++ b/tests/imap-detection/test.yaml @@ -0,0 +1,25 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + app_proto: imap + dest_ip: 131.151.37.122 + dest_port: 143 + event_type: flow + flow.age: 26 + flow.alerted: false + flow.bytes_toclient: 23493 + flow.bytes_toserver: 3790 + flow.pkts_toclient: 50 + flow.pkts_toserver: 56 + flow.reason: shutdown + flow.state: closed + proto: TCP + src_ip: 131.151.32.21 + src_port: 4167 -- 2.47.2