From d1ca06df4eb05d7f86058d97d616537d3f9f2949 Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Fri, 21 Apr 2023 16:51:53 +0530 Subject: [PATCH] smtp: add test for long DATA line --- tests/smtp-long-DATA-line/README.md | 12 +++ tests/smtp-long-DATA-line/input.pcap | Bin 0 -> 54233 bytes tests/smtp-long-DATA-line/suricata.yaml | 23 ++++++ tests/smtp-long-DATA-line/test.yaml | 102 ++++++++++++++++++++++++ 4 files changed, 137 insertions(+) create mode 100644 tests/smtp-long-DATA-line/README.md create mode 100644 tests/smtp-long-DATA-line/input.pcap create mode 100644 tests/smtp-long-DATA-line/suricata.yaml create mode 100644 tests/smtp-long-DATA-line/test.yaml diff --git a/tests/smtp-long-DATA-line/README.md b/tests/smtp-long-DATA-line/README.md new file mode 100644 index 000000000..4d4bd09e6 --- /dev/null +++ b/tests/smtp-long-DATA-line/README.md @@ -0,0 +1,12 @@ +# Test Description + +This test shows how we handle long DATA lines for SMTP. + +## PCAP + +PCAP comes from ttps://osqa-ask.wireshark.org/questions/33094/extract-an-attachment-email-smtp-cap +and has been modified to have a really long DATA line (6512 Bytes). + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/5981 diff --git a/tests/smtp-long-DATA-line/input.pcap b/tests/smtp-long-DATA-line/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..56077e1a67dd1d8fd5a77fe4dfeab61bc7169308 GIT binary patch literal 54233 zc-rlKYpm~|&4(mPq(oBGvvC|!BB{41 zQ4%H9uJfZ!n)F8}LD1SwYNvpIG(j5}u7k8ei%#ACsaqF~VYmo7Xww!&TEjr6h*Jac z9pCOvis$O+oTGE@IBqZnH_nnoid_3!Yp=cbCbvGGul~!=|GhhryOBrbZsZC0x*5?u zwDl8viTo)3G)wMSkWjPd@+3-+$un@4e&g^gF(Dr+oiE zY@b92+jky5{1K?;&fTZJ@Wc~$?;veR>xcK^>j`v1Z7)3dCoe^EZ~4p*BTY!-o$@=r z^VQdK{}yVz`_u1w_%MFo*XAR;19hbLatYaU@^5>{-hYJbF4XsB>FI|LGvD&HAgDjN zmrIB$559;Hefk?mh`x+8NzXid`0F2wM3PA&?o5_8K_u=?w88k^X0t&8U%RtOoU4hd z6pNy|kcYXwTtb|Ye-|OX^G8=8{zF*T@BRCK2+u4E)wpCVx`VYg_LV*bb^Y>QE*bE% z5B`;Bz~_$)_(Q1p-N=9sW}yKo;_P|@Vo~%xsH?@eP%ZG4xFi7h+G>kTwOZym|9gp- zIDxP5m4de&&(gdq@*?MBd<(=z@8y!=l>A>k!~fvO@OOXpwfi!}_?KTTMIw*t_ceYW zR8-u{C9Cg0_+8KH|9#Qw`!dw}0c7=;|8XQjl2p9Ws*JmnR9|n_)4txfLVYjoVkIv0BoNmnTpRwFT|}`Tw#PdGb7*yQc%OwZ!$}7kLPki&p0U21y%dmnEzw0kWA|l|0cwVWB_v0V- zqJ8sH5cKy}qo44r`Tm3ScgYUo!5@2eeC5cFmtj>cWJl{MuXjN^d~H7fwbb`=33NgE zng{y#k3hGe#!o_R6#om6h{8x}T&_Uyd2DQELi~kdbC{Tf~>s<#ydkI7!-Z*-B_L?KF*HK&PL!-OAA6E@$Ihb1U<^DYpPsYjk zbK+{e9N1$ct}T~Zw?8qaO9yrrR$ChP<27yhLOemmORI4_Nf4QMg1Ap6?vt4~M!@Y@ z6s7C4hOux4v+4bK;vU?^%%)4Ip0?P&`0N=h zFMhOQY?cx{;-dsXAb~FlCc~tO;@McVbtb}L##r2si-YcB=FH4xylR?* zt`V=Umg5=f_Vj8n?!^-j#=TT30kNq41#I*)e%doO_v4^za-)U?hBZFXUV)|BoGjbD zet9=qni==S7rjab6Qe3{_v6xH)?0OrUYy<@)VTjT-bmjghr^Y%WWZ9LWNTA+lVaVkjz0CmG~Wgn8h^;h*OF z?hH9EJ~13evyAv)8b>aVo3q74Ti!#*pPk*>jmM3%gs0&4SQ|`HyL9{7!ZDUFKD%v1iU;>4oeg&`7fhBkU^ev8YkX zV*H@a16h+9065?m+WROQGHn4K?MMN6{}nrf-|-gcf&$v)#W!;&| zmfFnQI+LpEq%sC92entBCN>LP0N|;xH~?6v7Fb*`*{e1{5x$~|7y_nA2&3L@e%KgLOroM`iGGq>RBH)*?VTadsvZW~0zs*}>Vg@`lg((*7BNYK(F}%b zRV;fB0kph7g92qhc~*H=vcMI6*@0%SuNNDu9!ICz&Hh^7riM@wnw#&$qTU{NuR(r% z4d>?ro`wOT_@1@Vp0bG4RM57Xw+p?lf)N>>1z-lclZxBfaodW?Zvo2uKZveW-s{V8 z=6|nV`=poo|N6zu|A|D9`PV-ciAc__Vijj#F0(1nRWouKnDX3fOE712P|AXuoPcdb z>-idM&@-kDXo3e;rA8%0hT3s!x&(UAVyg^V#Wp`Gnl;T`fetH+?ScsEz+q!i&Rr#$ zB)#gmMY*E(x=bNA(E3HISEOex*dIWTuG1-+U?_UZvrdzjSy_YO1%@zm3;F3NYr-<#}V=lP)fZG-(@(o zR5^YN_qah*(0x|ajEx5O6gj%PZ`&Y!i-6l_2iP(^=Ogf%qQN!PShT^7s|t~?H@G}o z;}Uswtf+FmN7w2UDCqwe_pW8&yBv5^lGMG7Y!)JUmtbGA~)M zO5K8CLt_F11_|A+K&=(G-K;D+EqU21q{f{=V%2UY#sVAxx|8uL7VT_PZo8!nVVow$ z0FFN%~J|ks!Vk|meFGn(F(Dp(o^LlAPIT8mpc3PLH$+)fN z&6U;TRy$_WCCanmDql<`teR5E6b2+K@P(|pp4;V;f@v$h7>h1)O1U6fYHG^q;x1Q8 zmy}XRwFSM`>QFfnge5Ft2}@YQ5|*%pB`jeHOIX4Zmav2+EMfT`7qtHJL#J2XKjp2z z{M^O$m%sYogY}o!UWi0$iYdt(wmVR2Qfnj6m7P$>`4pWTRg*>CQY*BXwXCY^IODMx zip zVc4PC$!k(moTij&MHe>QM8|ThMiW|YvnIK|F51gFli9?gay4bGN{w>6yHS$3=5DO~ zm{7N~JhdH{W*JbMR+=fHRCdbSdd+E#Z7@-{nk=X`?-cRAC5`iL+p-06EP+@wWvgUq z-I%cjs@~pKyG)rFVv?1scjr@mEo}PIcx85yyIKxt$xSDEX)cT#uNu4w{v4rvLh(@**uw9wUk8HGDvq*v}ark zw@qnDl9?u+U06n*5*fzAd--iURo9qt&Lm~G;N<7Zd_B|p9m_4(_*pF4Uk`G9rd(GN zPCbE>CC0VK(_I#;Cxkgy>MqTs=~Od`)kaU7r6$=1P7Y**O(9>9YsPlD74r3TD~a=? zWlfGn)qD;c;&Zaoo@!*RHePgQmD)V7n%Vhs%4n)yBe#H(+jxJN6kR>lnz0m(S*d(= zuwz^R2!Urf9<5`z{%W%<*E?)wRKmnss@SxE3|wA8YZWU%0JK`epjC{V>#s*K+)3k7mr0T07MB#hk14tp?!dcFBCA*I+g@? zwu=<}f`&)JGoTaO65KBM+a}!ZdfP1Kt@&Ht9`6hm9btKAply@JVbzvI6>)c8gI8k~ zzOe8p8Z{rlab9kFEr`})>B)_4$n4wg(XR)@8~lbc{|}$e{C~&G{6Bj!^Z&x9g3SNT z*CUZP+JNUPgNK-Crap$o$yW*;Ec>Ej$=_vUFkIi_nai5sezX{hzEft(IubTmN!w`?@Ds%ocnr^#7<5c5 zI<3Mmg?qlMuCzb@A~r3VSZM8egIt^V+B8wf;s^(7Ayoh2aW`1%`RqiSdLs89eZJ^Z zzZJ@jlH^6l<5~-kN4^56wLF<95Zm6Hh18_mn&Yh1TQ?Uy-7vD5D%uB*+7`7+b0ti@ zmN>$9I^Iy-a(Xh?9JUz<(uBmwWpE_Ozetd;V^Q?!ye@=u9~l?K!w~rKrg)o_=7TpP z!>W%2c?WqW7WMpOm}@DM#1S^+mq&f}dy&EIGGp!5xaS-6jv^kt*PKi>@Q~jZ9=9(( z9yWv{=#%|D2IQNdUj%*gdpq(W6tO638>`jNpgwWl0zqV4Q##!pdoC#RKXW?s|B9FS z|JudO|FRfl{s%u7i5zHzv*ttnC*%;5X9w(QsQtJBVIy0RT<;4n*3y!L>u^Xj8bfjwf=8AjA0Vw>&qCSo)X=#{ zfHI>*O*r(9Vj&haSH)4M%+hF7LGQ2!uX|a&861W7UF8MzJrXq51^xPT)CL%k<;Vj_ z(71rK1fP+h8qs?!ihSTrHfgKxVL8HpJb=U-UHoxCzOGOE*a8gb4AdG(&}U>dss(ug zS&QBSY^Vn0rJzq-?w=?l7Z_@Bt4YiO0#pl%;y}0#F&ujW zX_fVI`sTbAV5qiI?x7Enm8e#L-iy71n;+rhSPa1z<}xuFrYRLS|kwUkzjv- z(~DIvhrH2fIL-`6;M_=hv~?&5BbwP9_tmRfB8Y|CW$j^LOKlAYY|LE5vky}`JYzdlGA))yi zdn%@m?LZQX2A^({Q@#vhFcw8)&G`)K;5y_g3^$Eu{&;YmT%{Gw8uHiFdUc#3O(_f~ zksMokT`ec(9dMR_W(*f+4Y!#~K8}^A=Hux4Di%%Q<`fEvu5i5AhBJZh?ObwyHPSXR zSPIpSdN=Z=ZQ$gic^m_7&bh%%<l@8P&^E{S^Z zkDMe4zHWFNuGtZX>o?IoTj}XPevM!cNrFFmTG!aq)xWIkWfAH6@mCLZz3;THm8a{Y zmvw#WZwKlk3{p{_r3a(=2tz4_@6UCdISI%k9Z=dVN}(Zegq(tNdibRF$q2L@Mw zNYHqPMuk978=m<@6KXv|E(8+nXhNdB@$r?aje9`bB>N_cb^GpJshS zToyM2zp)ToRcX$Oh+l(&t62gE903NHGwFZ>pwd;RtT1{Z7Oj=69hI|1rkWEWMvQgQ zFZ5xI!wawxOiQfg>n^zdy~N;NV+;9*Le`?+-m^{G9YJjHs0Lv6zwzf_Z59S-i`LP7 z$w7mzDlSnjSl-RaO0C}K>Q;aWUMcvg)y(3#{e35TQW6wG1~{}GNSL+O4At{Ri{_gx zbQ{w_5hHL`u|~Eso}*||DXH~(F(KEBtdgzM+_0ngd@G}0Qn-BGsLaQsY(g04x%y@b zlk8AxuEfE5(4LRP5yx)ZJ3|B;Eg^IoBdLP-g~poLmIs|$LQnKr#oTbqSajwzMhzfO z%AIzqNG*m{tdhy>lGDD~-cm}9>5#n?yU1mBP9?Py#|w2g=9_Y=z3OI)xz2P`Z7#)H zL!PdcUN#mTaf`XU9``zCQ88U^Hzsr`x2g@ZPTw_mZmQxa7P&2IT9Zj6X0t^rJ>Rei zzAV>grZmW|d-(*dh|bW($xSSp5JrPUf4*uBcjcim9pYtoGUT(OSnN#7w61i=UCADF zs-)6tVEMsjoWK+LAvUkoG|bR((OvR|O`Bu*{v2LA4pZrN5?-(jY%QD5>2ty4Qv<5M zO<{R`JTX*M3qoTOtxMnjswHc9^+S_`!Bej}Fb5a$`l{w1%??0XS-|l7pAH10P zKXc9ob3YJ?bkuwcud!*}m8LHA{u)S@6^m8`V_TZJn<{O#D~hd5d%5Av!nerK($D9|#e6@zWgDaeYTH!;%chHl(PgC3Fv({COY-$hESlfW7ITUyw&Yw%DRlE@ zeQbdhyUiFqN8dTXvMfp(+l$U(-IH7DD90tWn!eW5iY+m-UM4%YwS1+4wW*B;N0&?% zMp&j%uvg^L7M9x309d`N>GfV!V%Q8bt`wOLyDCvh95h&qTTk3M$$3}QfE(x4QEeqp z7?=kwG{fDmE*)}{gel^!F}ufITkB-WO0@SDrgw2Rhh>nsb}H%cseo1+*P zidAQjW>mvjgEgxVIx*hyb5s#9o( zjvK=|vIS~8wB|8z9HIyi_;Gdth%#s zW363@qk^;8a+1Q90}@*r32dotv1N0EEo*BmSA#Pw`0C)5>H^jeF_fnWhljzwT}u$c zz`?5c2sg+cvh*SjVpVJs%S_G9ltoudm)vra_e8_W8=+d+ER5P#U$uxVqhXF#gSFep z8wf!xdTR{&e2Gcy1UE7!!f}XV(%TJyxPaQw>nYh~CN-?PGJ;m|z0kZ8!R4Hr5Vk8! z5^UUL2Up=}Rn+BmHT&2`i*i4cF}TC%IECR7f<@ZJOlbjI!7Prh!jUtE4L+M8QEgmr zT`m|^H;~3+wV^txSuUF#AI2z(klSNOip&NxTWj1DrdOdr5wd6{a%4qVGeE=>lR%VJ zXM=aTAXg%s%%X&2U2GcQxDLV9BVW=fZ!uHf;HEmi8ppJbYrNs4ZCW&!b5wi9>_NY! zJFbE-Ai>JqDkrQ8cx6r@9FOA#QmnyiWy~BVaI>|9bq{f4ryocc*DK|qrcqbn5C&py zb%TB9D1>|u%VHyxEtA>D!q9Cdu=O;Fo2E-Rf=Db1HnA`WVzGkpMlA3`h8hV_Q09-H z&ipYi^S}FI=KqcJ-=Tcw)kp+s5-?k)w+qlYw!)K=TgS3<4dp@4j?_gvuAjwFBFtUu zbp|(wTfj=WLt%&Naz5%50zoKHZO~s=VL&3Tbd-;;!f^e}lyc?}!!C=Pi{vo|nw7|_ zFkB~SY=`+4jto8qt$Z5{DG|otn#|$mnmVi!*vpiZtX3H zE&6blrNB|8+=O*jj>jj2<2GJ+)K4=@oyMixVc4Xb{akL6JI=>wJh+GhVIWJlYl&>d zWCH|9(8zbbl|@mCdJF2aD0iSt=;!0(aRJWZdQ%1ONdn&8u|9$_oY5B*P+~!sgV*fW zV^}WohZv3oqFAR80)%ZyK!M|uzJfR$+?3#KK^Q|B<#IzYrx!LkZ9dPHFe_&d+62GM z75kjP%2xgu!NqKutE^99K>c-(1C0j=g$Yr#Q0D(JnD9S+*O%kWfA?ke`%&h9@KYBv z|L4SDHS*Ozh(w?*s%Hxv@o;uRWolBUlq;q>B1Q6}Bte0M-D-4-G+$v{s{pL)eVJQk z_`r?}ZF#L%A6eu36kD^?w4R3J>(aut?gpEK!IHG$=pt;n4(AeO+O2ayzCNa~D$Ad! z`2w~py}E)JX6bHof_JwpE>!AkYS|ELyq=dSfsxz!V-H*&`LLBxz6rxo`=UrEA(8~b zHr?S;agolZmvA0iU-Nd~uRjax@1j^@Zn~j@S6lMlQrI3S(|EGp3;YI?cAn($buPDF zK$&K9rkTn~EqIZm5?KRZW<+e|mdkW?U>SuzUxnAmC<1O#zlWhxhF2nR?5{M5T&}jw zRmz*JgSnY(a+T@M;k8RTJ6WV1W1h;^W+|~Sr54zj($ga{vmKDaq@UCcYr*%{oJ^E& zdG~35=WAQ9`zt1rcVpwxiizEoFRYkcd6y48XXg495%1pKs#{1+gPS?D+6|t~Q{1nR zcz1Y$XClR-l|jnYCtXyXP}w;Coqt+BUjf1P>lZR$Gp0)eQmeEST@>MV_HY}xENoMM zg#-vdNE{&lHS>w z|D?-jPp@!(!dv02UtZz-the&|^o5nz55o5k?d8%_Gtbn&h%#T~7cXYMFZ@=J`FhL5idA72?hzA}7#W%&5YH_ziM zL&|$dc@HV?A>}=!yuW!U?;%+|B&&yH^^mL{lGWclWc83{9@5N1nt4bw4{7Fa9-4Vb z5Dy9BAwm34haeu(oZ7!XZgGBniKHNWvk#H>CH5^xlx(`~QO8`)5NQZOEeyd9)#q zHssNUJlc>)8}evF9&N~@4SBR7k2d7dhCJGkM;r2JLmq9&qYZhqA&)lX(S|(QkVhNx zXhR-t$fFH;v>}f+)8}evF9&N~@4SBR7 zk2d7dhCJGkM;r2JLmq9&qYZhqA&)lX(S|(QkVhNxXhR-t$fN!LkVpIHPXC+SpZESv zZu#=R$^D#&{!Q-PR}cS9?w>!c>u-3v_{+M!@H^7e4Usw1;vET>7WJ&(&M#pZY%h z*wH`r{T*1#mmu0Z4_@+d{)GdZFKM~=kuM=F-@1FHmS-N`Q9luh$aP-z5n(40edOPG zy54rA>lIJeJ0YT+kLU$>a$_%-JXefByRvWj)sGx`?n_7$@*MdOpy!f_xHDPW1d+Js zu{RMBI-o;Oe5_}uvHm{7`hUK8g!Ny*n!YZ*CldMgGd|XPCnF}(_OO2J2|!Xy&;zd=mVlK=n! literal 0 Hc-jL100001 diff --git a/tests/smtp-long-DATA-line/suricata.yaml b/tests/smtp-long-DATA-line/suricata.yaml new file mode 100644 index 000000000..30418c57b --- /dev/null +++ b/tests/smtp-long-DATA-line/suricata.yaml @@ -0,0 +1,23 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - files + - smtp + - anomaly + - file-store: + version: 2 + enabled: yes + force-filestore: yes +app-layer: + protocols: + smtp: + enabled: yes + raw-extraction: no + mime: + decode-mime: yes + decode-base64: yes + decode-quoted-printable: yes diff --git a/tests/smtp-long-DATA-line/test.yaml b/tests/smtp-long-DATA-line/test.yaml new file mode 100644 index 000000000..ca9581499 --- /dev/null +++ b/tests/smtp-long-DATA-line/test.yaml @@ -0,0 +1,102 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 192.168.1.4 + dest_port: 3326 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 217.12.11.66 + src_port: 587 +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: MIME_LONG_LINE + anomaly.layer: proto_parser + anomaly.type: applayer + dest_ip: 192.168.1.4 + dest_port: 3326 + event_type: anomaly + pcap_cnt: 40 + proto: TCP + src_ip: 217.12.11.66 + src_port: 587 + tx_id: 0 +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: MIME_LONG_ENC_LINE + anomaly.layer: proto_parser + anomaly.type: applayer + dest_ip: 192.168.1.4 + dest_port: 3326 + event_type: anomaly + pcap_cnt: 40 + proto: TCP + src_ip: 217.12.11.66 + src_port: 587 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 217.12.11.66 + dest_port: 587 + email.attachment[0]: winmail.dat + email.from: '"Xxxxxx xxxx" ' + email.status: PARSE_DONE + email.to[0]: + event_type: smtp + pcap_cnt: 40 + proto: TCP + smtp.helo: Percival + smtp.mail_from: + smtp.rcpt_to[0]: + src_ip: 192.168.1.4 + src_port: 3326 + tx_id: 0 +- filter: + count: 1 + match: + app_proto: smtp + dest_ip: 217.12.11.66 + dest_port: 587 + email.attachment[0]: winmail.dat + email.from: '"Xxxxxx xxxx" ' + email.status: PARSE_DONE + email.to[0]: + event_type: fileinfo + fileinfo.filename: winmail.dat + fileinfo.gaps: false + fileinfo.size: 10383 + fileinfo.state: CLOSED + fileinfo.stored: true + fileinfo.sha256: "81d7ff46d57b5e79df686a72c160225d644e43c47c219f6bbdc5a6699df702d5" + fileinfo.tx_id: 0 + pcap_cnt: 42 + proto: TCP + smtp.helo: Percival + smtp.mail_from: + smtp.rcpt_to[0]: + src_ip: 192.168.1.4 + src_port: 3326 +- filter: + count: 1 + match: + dest_ip: 217.12.11.66 + dest_port: 587 + event_type: smtp + proto: TCP + smtp.helo: Percival + src_ip: 192.168.1.4 + src_port: 3326 + tx_id: 1 -- 2.47.2