From ed41074cbb810883d11ee60fb45403dbcba07f7a Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 31 Aug 2023 11:52:15 +0200
Subject: [PATCH] mime: add previous suricata unit tests

mime: fix tests for bug-6207

Fix manually crafted pcaps to have valid MIME headers folding
beginning with space

And removing the test for BODY_BOUND which is becoming obsolete
---
 .../mime-dec-parse-full-msg-test01/README.md  |  11 +++
 .../mime-dec-parse-full-msg-test01/input.pcap | Bin 0 -> 1685 bytes
 .../mime-dec-parse-full-msg-test01/test.yaml  |  46 ++++++++++
 .../mime-dec-parse-full-msg-test02/README.md  |  11 +++
 .../mime-dec-parse-full-msg-test02/input.pcap | Bin 0 -> 1704 bytes
 .../mime-dec-parse-full-msg-test02/test.yaml  |  46 ++++++++++
 .../mime/mime-dec-parse-line-test01/README.md |  11 +++
 .../mime-dec-parse-line-test01/input.pcap     | Bin 0 -> 1736 bytes
 .../mime/mime-dec-parse-line-test01/test.yaml |  46 ++++++++++
 .../mime/mime-dec-parse-line-test02/README.md |  11 +++
 .../mime-dec-parse-line-test02/input.pcap     | Bin 0 -> 1788 bytes
 .../mime/mime-dec-parse-line-test02/test.yaml |  47 ++++++++++
 .../mime-dec-parse-long-filename01/README.md  |  11 +++
 .../mime-dec-parse-long-filename01/input.pcap | Bin 0 -> 2012 bytes
 .../mime-dec-parse-long-filename01/test.yaml  |  86 ++++++++++++++++++
 .../mime-dec-parse-long-filename02/README.md  |  11 +++
 .../mime-dec-parse-long-filename02/input.pcap | Bin 0 -> 2268 bytes
 .../mime-dec-parse-long-filename02/test.yaml  |  71 +++++++++++++++
 tests/mime/mime-dec-parse-odd-len/README.md   |  11 +++
 tests/mime/mime-dec-parse-odd-len/input.pcap  | Bin 0 -> 1751 bytes
 tests/mime/mime-dec-parse-odd-len/test.yaml   |  46 ++++++++++
 tests/mime/mime-dec-parse-rem-sp/README.md    |  11 +++
 tests/mime/mime-dec-parse-rem-sp/input.pcap   | Bin 0 -> 1750 bytes
 tests/mime/mime-dec-parse-rem-sp/test.yaml    |  46 ++++++++++
 .../mime-dec-parse-small-rem-inp/README.md    |  11 +++
 .../mime-dec-parse-small-rem-inp/input.pcap   | Bin 0 -> 1757 bytes
 .../mime-dec-parse-small-rem-inp/test.yaml    |  46 ++++++++++
 tests/mime/mime-dec-very-small-inp/README.md  |  11 +++
 tests/mime/mime-dec-very-small-inp/input.pcap | Bin 0 -> 1754 bytes
 tests/mime/mime-dec-very-small-inp/test.yaml  |  46 ++++++++++
 30 files changed, 636 insertions(+)
 create mode 100644 tests/mime/mime-dec-parse-full-msg-test01/README.md
 create mode 100644 tests/mime/mime-dec-parse-full-msg-test01/input.pcap
 create mode 100644 tests/mime/mime-dec-parse-full-msg-test01/test.yaml
 create mode 100644 tests/mime/mime-dec-parse-full-msg-test02/README.md
 create mode 100644 tests/mime/mime-dec-parse-full-msg-test02/input.pcap
 create mode 100644 tests/mime/mime-dec-parse-full-msg-test02/test.yaml
 create mode 100644 tests/mime/mime-dec-parse-line-test01/README.md
 create mode 100644 tests/mime/mime-dec-parse-line-test01/input.pcap
 create mode 100644 tests/mime/mime-dec-parse-line-test01/test.yaml
 create mode 100644 tests/mime/mime-dec-parse-line-test02/README.md
 create mode 100644 tests/mime/mime-dec-parse-line-test02/input.pcap
 create mode 100644 tests/mime/mime-dec-parse-line-test02/test.yaml
 create mode 100644 tests/mime/mime-dec-parse-long-filename01/README.md
 create mode 100644 tests/mime/mime-dec-parse-long-filename01/input.pcap
 create mode 100644 tests/mime/mime-dec-parse-long-filename01/test.yaml
 create mode 100644 tests/mime/mime-dec-parse-long-filename02/README.md
 create mode 100644 tests/mime/mime-dec-parse-long-filename02/input.pcap
 create mode 100644 tests/mime/mime-dec-parse-long-filename02/test.yaml
 create mode 100644 tests/mime/mime-dec-parse-odd-len/README.md
 create mode 100644 tests/mime/mime-dec-parse-odd-len/input.pcap
 create mode 100644 tests/mime/mime-dec-parse-odd-len/test.yaml
 create mode 100644 tests/mime/mime-dec-parse-rem-sp/README.md
 create mode 100644 tests/mime/mime-dec-parse-rem-sp/input.pcap
 create mode 100644 tests/mime/mime-dec-parse-rem-sp/test.yaml
 create mode 100644 tests/mime/mime-dec-parse-small-rem-inp/README.md
 create mode 100644 tests/mime/mime-dec-parse-small-rem-inp/input.pcap
 create mode 100644 tests/mime/mime-dec-parse-small-rem-inp/test.yaml
 create mode 100644 tests/mime/mime-dec-very-small-inp/README.md
 create mode 100644 tests/mime/mime-dec-very-small-inp/input.pcap
 create mode 100644 tests/mime/mime-dec-very-small-inp/test.yaml

diff --git a/tests/mime/mime-dec-parse-full-msg-test01/README.md b/tests/mime/mime-dec-parse-full-msg-test01/README.md
new file mode 100644
index 000000000..4f2d42d1a
--- /dev/null
+++ b/tests/mime/mime-dec-parse-full-msg-test01/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseFullMsgTest01.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487
diff --git a/tests/mime/mime-dec-parse-full-msg-test01/input.pcap b/tests/mime/mime-dec-parse-full-msg-test01/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..5e9e92d8011f20e74c7d75a795cebd6f52f43073
GIT binary patch
literal 1685
zc-oDW-%`^+6vmT)pw(#g4#tZ!y>g%lNeWcMpJ|7-1DZ~ujSk~@VcM>;*e01|GnOl#
zgG*n*SMU{l6|d_qy8#ChP1<kHY}4;|zMky%*Uul{6=_jQulbzU)!)xQvbrgxP_-q=
zkfesxSdye~k|Z--R-~1(@P-O^D~t2Fys)s$7;*uIv~pPidXIAC@Y!7k^Hqfe<3&ym
znR4XgGG{RF0{{M%gtwW~UoQXUwJZZB*iUA|U<QM(dkhis#usXdLD{%=gaowyk3g#_
z^sw#puBjY#ulRgcDXx5-Z_9w*8_rl_Xd%I9<-{pdP9<e@n@0|G`n|5bO9B!!K2JS7
z(MQ2_pL3UsXRA<lH7nbFx^{#F<1i;%m2%cnM*ra01-EDKnsrMzxAj++ZZ*=;iF^-=
z=UbzECo5lxt%U?b&&lUdj+HW6O}EJj59#WIkRY7qq_8NZpAu?Yn-CK(BEZHD*bfr|
zng+-p!&gksVE3T!boO;#c&|s)_f+BHy%aSkZJ+iVUZ?d4vY`{<Dp)2o!w4+Hs)4a(
zn}%K6hINBpYN-<iQybV`fV(@w4Q$AI7;0&d4A0Ss*x;Vw80gyrf?@)Qxz$qlsN2@w
zp(w_IPZ2t8bP)Ii`9yOsLYixuOb8C?BsQjahQ>QE3=)6rMHhRO_19leGC3V|$L}|T
zcI%{a<89$M3}Q^KsMx1*kXm9dO}p*7-H@Oe*$5{d_IF@(=0!0gdkOiZz5Fjd`xj>S
z<kK9`=ZPYd&##Y0IK-51=0{>UhqeP#R7=!ab|Xz=pX+>ssKt-Ouq-L{tRwNb@R3mJ
blyjakPTn55obaT0igQZYyZO^KuTuO0>NQTe

literal 0
Hc-jL100001

diff --git a/tests/mime/mime-dec-parse-full-msg-test01/test.yaml b/tests/mime/mime-dec-parse-full-msg-test01/test.yaml
new file mode 100644
index 000000000..f9049447d
--- /dev/null
+++ b/tests/mime/mime-dec-parse-full-msg-test01/test.yaml
@@ -0,0 +1,46 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1
diff --git a/tests/mime/mime-dec-parse-full-msg-test02/README.md b/tests/mime/mime-dec-parse-full-msg-test02/README.md
new file mode 100644
index 000000000..b1f1cc9fc
--- /dev/null
+++ b/tests/mime/mime-dec-parse-full-msg-test02/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseFullMsgTest02.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487
diff --git a/tests/mime/mime-dec-parse-full-msg-test02/input.pcap b/tests/mime/mime-dec-parse-full-msg-test02/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..fa58468f2674df0fed24199fd818db6198b3806d
GIT binary patch
literal 1704
zc-oDW-*VDG6vjhZTSZaEyLP-d!+7DeBn=B~HT^R%1*WZGpb(vo<AniMyA_g5vKi@>
z&(TX?!B_AVd=;;8x4UUOZK4T$vuu*@cRo&b^ZVD&AF8sb#K(Lt#??PBKJl?8r82b?
z#ZZ*GQeRS(?~0P+x-2OxMd|fb;Z_&t^W4J1GH2v6FqD<c60mEGlk=b7XK-IxN-|!h
z<j65ju2&Qc?p+Y~UrBl!DfM&3TV8|=m=HIb4ZRr*I(82N?2Io8c@E|6+L4mb?SBMX
zjiHAvt9wlqs0Z2mv&wMA>wKFAbl(cb5=To(Ml&T&k#R~fqtiIDpxy6w%w6hHul{A~
zkcmF>ru%}soIP8KvCB!>9<sS5B^ie)*~*Nw7Bl(>Jsa$<xm(#rdSy$0gLG7nTPO29
z%ARkH@vWqMc|Mnt3_T^E#W*NtG#hq95FWGHM=41-O-X?mr5_Wjn>7fj6Hwr72jcn>
z1x*9&j^P`jXRv$Fx7z!<7(}fn%=c0i617xFN!w=^hSzBwicM$-qztG64L<;6peh)f
zX2me8Td;1hqmXY0-qZxX7U2Ghussu!9!4QQh=%8QL`|^INC@of0L38%%-w~2=cv=t
z-s2!7p34wAD|Fzw6uVTjFMO738citiStmB8WQNB(F!UmK>;xBkrS;>lIGUUeI^z#D
zuhl#$-FTZM^u3VKD=KkW99+orkEY#q-7QG*jBfZ7hqya1I&*>$)4hm()?WXYp8OA!
zYl?0T*z?2z68-Dr5%CG*qg!1I#SfI8l2@=;0;tFl$+4PTThsV?U96cx_FXb8D(Z34
iE_s@Hm#D{#a~?BJ-W}P3@GN_Zb4KaiyoW1SDgFW?$yJa5

literal 0
Hc-jL100001

diff --git a/tests/mime/mime-dec-parse-full-msg-test02/test.yaml b/tests/mime/mime-dec-parse-full-msg-test02/test.yaml
new file mode 100644
index 000000000..f9049447d
--- /dev/null
+++ b/tests/mime/mime-dec-parse-full-msg-test02/test.yaml
@@ -0,0 +1,46 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1
diff --git a/tests/mime/mime-dec-parse-line-test01/README.md b/tests/mime/mime-dec-parse-line-test01/README.md
new file mode 100644
index 000000000..1d926984e
--- /dev/null
+++ b/tests/mime/mime-dec-parse-line-test01/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseLineTest01.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487
diff --git a/tests/mime/mime-dec-parse-line-test01/input.pcap b/tests/mime/mime-dec-parse-line-test01/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..3e8bb266b25a6103b0245e291f4e17daf003aae0
GIT binary patch
literal 1736
zc-oDW%Wl&^6ozfLv=9hH>{_un$_llyYdgJwdr_h$Q45LECI(fA1x_-w6XJ{Pu}D`u
zN0+<;ufQwtDy+jyW}Kqd20QsRnvDPN{5hWSub)4@E7G!*T(cP;*MGnG#KvtQg{mn@
zx+K-4+KME7lO&nxrYx<Mgf~#QTUnmX<fWxm#*lL`q_vwe&^5}DgXi}d%vTW-jF%ZX
zWXh4xN}R#GOZ@)1gtwkiUoQRSHBB8R*o&tFe+vDMeFh<NM%TpxgR*w*3km4nKLV{M
z(357nyP$H^gZ%wjr?}E0-;NI5x16!U&_aUI$cR&-oN~hG)KA;c>UBHT0r81nyL25q
z(T2Wz#JQ{avy~~kl9ufuowtPq<0K<ng>p6$M(_B{2D@t=7<;B>>}sz~&8#J@6ZszH
z&$mJO?X-LaHWv~MEhAr>a?FI$sM~c;cuZ#>g#_UuBZWyRy@XKR*@lQXApzEQz+Mm&
zP*p(Q2)<%+1qa8ycI!yv1F!XjRaUroEv1%`wnys?7HJ)VENF$e0;U1=AOur4tDx^#
zhHh1NVN<79vCs;A*8;W|;Qo%VeGAeaMzPS32V*oO7T8xf0{V4;pojos?qZ>H+G(oq
zQ5a$0qX>-_I`%z+Jfhmy0nO#c6M_TUi7gjT(P$qAe(a5$@cOX4`Q{6XCl~$B=)<<(
zY@C;Gy$u`%euT-Kiai<!6$|X6s&`#?3lcOXTfxM^-aZVkoG?P<FeabXSO2A_|HJf}
zyqkUcJW*)y{`Jrh2bl7W>_`k(hX}jD1c8g9$hk!9rGdc6S}?N~s_EHOmHn>qJypzq
niUuV~8K<41r@2p&GNzmb<NV#J%?Z!)rx;U8aQmJ%<|+OFwlZRS

literal 0
Hc-jL100001

diff --git a/tests/mime/mime-dec-parse-line-test01/test.yaml b/tests/mime/mime-dec-parse-line-test01/test.yaml
new file mode 100644
index 000000000..f9049447d
--- /dev/null
+++ b/tests/mime/mime-dec-parse-line-test01/test.yaml
@@ -0,0 +1,46 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1
diff --git a/tests/mime/mime-dec-parse-line-test02/README.md b/tests/mime/mime-dec-parse-line-test02/README.md
new file mode 100644
index 000000000..07ee83aa3
--- /dev/null
+++ b/tests/mime/mime-dec-parse-line-test02/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseLineTest02.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487
diff --git a/tests/mime/mime-dec-parse-line-test02/input.pcap b/tests/mime/mime-dec-parse-line-test02/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..56fc12bf4602ee652a3743bdebee8d2e4a219f9d
GIT binary patch
literal 1788
zc-oDW%Wl&^6ozfLv=9hH>{_un$_lly6T3HXFC=ObwU8)n;-U(%z)7afw7$t6E6IxI
z=%x}9Prxhi3cL#IFw+^gsEr|ZevKyf|DE4w#{Tv5$2Ucqmy%;L;p6h}S6|q;E~HS^
zB&j4xWvRR%Nna&NX1dBtOF7{U6z*2$Clh&YZjmwM85q*iRUYUy%8`SY4;jo?5E6{n
zDLG`yk&kkm!Mt<){u>EzC8fTc`^#$>C2+78kGlQ{I!)^cLS*;H*$jiSc5Mp@=+-|1
zEho@}TBCJK<)}xq_h*^na<}<5O3?bi84C<8BpB6{I62D6CyZw0umSaUt7+~KpZMi-
z*T#<4^W8npU7S5zp0W$mvOT8rhLB(!q+}~l&Pu{)?;lxUwaguT%h2>q?X961<)n2Y
z-;>$%tx$erTD}aM3kimnlCMEIM#898tO_SQrL)gMf^eFW!l0CPLRi~ahltoA0oHcF
zUJw&dRX|=JhL{XsXTRO3?`eGCwVqMmNa5nO6q1s*P3v`U)7k`?P!Dkd3>_*#2u8_R
zgVKhnm&~<ISS`^bo2iGsYXaK~@Nh?1z6sM7Bb({O-3!zsCRhU;0sYxPP(%PRcQ(^J
zY}V9|D2%Z0QG`Yd?fV`<9#O4vKy$gVLvTPlQFQSL^|ztx$6ntK$GiE}_m?PkPCL#1
zr**$pJ<i{Gt2he$2$LHs_GlcG&9GBd@4N07Bxpp6fn#HD8+rpfj1bw4$(j1*zx3%(
zIK3wCW{0jP3U%JUHtOL3Q@)-aiQy^`VK;CPxG0M3bHqLx2=ufI2J{@<y9D2Z0U?1|
zEDnc5jU{AjS9EP>XopBcBlK=y(-Q`MfX-sa8N=9*g_*ENqqxiI&!ejBe~s_M?Cft|
oHzz6A)84%2GrxJtHRW6+jN_9-ixXbVp5lU1zTbV@^_vub098GA?f?J)

literal 0
Hc-jL100001

diff --git a/tests/mime/mime-dec-parse-line-test02/test.yaml b/tests/mime/mime-dec-parse-line-test02/test.yaml
new file mode 100644
index 000000000..3b802ce14
--- /dev/null
+++ b/tests/mime/mime-dec-parse-line-test02/test.yaml
@@ -0,0 +1,47 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      email.url[0]: www.test.com/malware.exe?hahah
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1
diff --git a/tests/mime/mime-dec-parse-long-filename01/README.md b/tests/mime/mime-dec-parse-long-filename01/README.md
new file mode 100644
index 000000000..158ae9697
--- /dev/null
+++ b/tests/mime/mime-dec-parse-long-filename01/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseLongFilename01.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487
diff --git a/tests/mime/mime-dec-parse-long-filename01/input.pcap b/tests/mime/mime-dec-parse-long-filename01/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..7707191091cb169f9583e27af35f20135e95abb6
GIT binary patch
literal 2012
zc-rli-Ez`E7={;8TSZaEvvxfACPz+7Qj-2@Xge?krd1ePNS%)3fdRH<EBTpZ8R<zq
z@g{ocEqDvwg16!^?shk=(<aIV7<gy1f%o}dzD<^&KfZs<qB#^F)2SGje!cj}$91VJ
zQyrlaLKRe*N9YSe8Llf8Ef%CV$O?CMZaU2<$^vI(W?-PjD;3yhjFSnT-)C@NQA#pi
zrsT*lPUf&67~HFf?_W!Lt10y}g+IKeS%MMq#*>~ufo{t_gb+J}i+qkldArI|61w%5
zKua-nzus)$PzCD2?EP6{xWY}ojS{rq3dTG~OG!p8B~F2H)R@t#9yFoRX}7Fx>QldR
z<~n4g_kDL)a2ICJrZRRhDceIfZ%RqVeoD3?<1ELF&fcL7cH7!EwoKjF)L)yrS&3UG
z^F5k9-!kJjlk(;GTuL(ZlzdIbF=IxpYF7o}F`Ipml7y3#6ego|V#3<SIz-e7De$%f
z@q#f0O#|!=;4`5^*xu_j8@sv~M6D;xccKW1T8f>Lw!`Z6ZqhmwThIte5ljQBK?r8a
zT!YevWt6P7O;{<hBcE%8zH0%$7vTOKVfz*&Ek-`q9rw<0pITrKNd)Ze0L2jn%-#81
z>!4NF-r+DJzQ+(cE41f(6nj*&F9Md!9gippSSMCpGQoo~^!%|maKeinb>+<`JRY5N
zTZ8xOe!X_2-g;{!3jB!BYbx<r9GuVbm!{oy-7QG*gsui7hj?Y^51lZ=bZ1OYwO9Y7
zC;!6anxdOsww^dNME^RtPXfaDMtY=_3=XAEf9SI7WjG}x>^UypQ4N#lclwmI_y4&#
z*YO0ad{L?p5jPlNaB&nlXP9rj7>wlg(lmZu7tdLK_MN3yK+0v(&hm8Tokh81ob#A*
WbbMe7!n4^^oHNST+y5@(I>m1dV$44P

literal 0
Hc-jL100001

diff --git a/tests/mime/mime-dec-parse-long-filename01/test.yaml b/tests/mime/mime-dec-parse-long-filename01/test.yaml
new file mode 100644
index 000000000..701e46805
--- /dev/null
+++ b/tests/mime/mime-dec-parse-long-filename01/test.yaml
@@ -0,0 +1,86 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: MIME_LONG_FILENAME
+      anomaly.layer: proto_parser
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 14
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.attachment[0]: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      app_proto: smtp
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.attachment[0]: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: fileinfo
+      fileinfo.filename: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c
+      fileinfo.gaps: false
+      fileinfo.size: 25
+      fileinfo.state: CLOSED
+      fileinfo.stored: false
+      fileinfo.tx_id: 0
+      pcap_cnt: 15
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1
diff --git a/tests/mime/mime-dec-parse-long-filename02/README.md b/tests/mime/mime-dec-parse-long-filename02/README.md
new file mode 100644
index 000000000..4821e2937
--- /dev/null
+++ b/tests/mime/mime-dec-parse-long-filename02/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseLongFilename02.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487
diff --git a/tests/mime/mime-dec-parse-long-filename02/input.pcap b/tests/mime/mime-dec-parse-long-filename02/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..91cd1f346af97c66bdfaf741531d8176ae6789e5
GIT binary patch
literal 2268
zc-rliPjk{h7{&udt0>BNYsbSoIXNv!N%~Ji+kq)Ct-{bkbUKa)7qXP4<j-U`BfZp%
zU!q69f?vU};8*dCyWP+_Em6*nA<rxu^8DV1H#?gj-@koLD;Z^aOeS(%{`vf)7&l_2
zxoV11RFtw(zON{s6(uEfsVYnP*c+s!JDr(KQVR=<f{~hop)6ghz<=YMRPgLBL--1@
zV#bSv94XF89pxoMco*dTSBkxrg!-xcZ(h?Z!iad$xa*Ih)3lEu#K<|%Wd&5Us}w7S
zZvP?B@)UYdYqYMZ5_NC>{w#A`{yN`g5n68~<Gw)0iW${}IC;)dr;KLhumSaUt7+{p
zpZVoe7m<<P^W8nkU7SCg%Grfk*&gtDBUa2fNXS;;oRuk~y?<nb-LiI!ZBsY4^jD^C
zmZz<Y^F5qD-wNk9X64I@d90YBC**5zjyYviD|ST^9`V_SSTW%wA%)2)?I~e>a|0+t
zAp_BNAYKqL&@{lF1D^;Rz|MZVQQy<$AZtD5zLSiUtd+47(zbcM?sZzkum$yy6u>l~
z5`<tD&2=blT1L@Y--6X5KXTc6=(`q(wE%ZlgzZ}}>tW=wov1s+J!XMDAQbqCfMLo2
z3wJKtJZ#pqcQ~ZP_c%i5h4y`qVUKC{dBAhI(TI_NcVf*YW9*cm>qnl0!t-5q_4OH!
zMkk%7^M1pxRgcvhZ<Wx%r-WTmiO1vMTvmKE?Y8T7L59a{Ef^u<m7q63A;oMrVtwu9
zU+J^|;q02Sn;rf<acIc?wQ-LGg!7H$NC_DbW2iT9`SlX?$q0MM#k;Cuiu|a@czct+
z>v)XS5>Vg8!^k^BwC`|H)JI$nMU+nwrH(kA|9AZxcZo$=0ZQCpgu%s>qEjqhJs6DH
z>s8albzSZ=x%qe2ZeGb;%-UI>%)PT_E;wg6WgNdfv?bx`{3(W<^5y2;ZCs`J1>v7R
An*aa+

literal 0
Hc-jL100001

diff --git a/tests/mime/mime-dec-parse-long-filename02/test.yaml b/tests/mime/mime-dec-parse-long-filename02/test.yaml
new file mode 100644
index 000000000..aa1581fe8
--- /dev/null
+++ b/tests/mime/mime-dec-parse-long-filename02/test.yaml
@@ -0,0 +1,71 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.attachment[0]: 12characters12characters12characters.exe
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      app_proto: smtp
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.attachment[0]: 12characters12characters12characters.exe
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: fileinfo
+      fileinfo.filename: 12characters12characters12characters.exe
+      fileinfo.gaps: false
+      fileinfo.size: 25
+      fileinfo.state: CLOSED
+      fileinfo.stored: false
+      fileinfo.tx_id: 0
+      pcap_cnt: 15
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1
diff --git a/tests/mime/mime-dec-parse-odd-len/README.md b/tests/mime/mime-dec-parse-odd-len/README.md
new file mode 100644
index 000000000..b5f1032a6
--- /dev/null
+++ b/tests/mime/mime-dec-parse-odd-len/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseOddLen.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487
diff --git a/tests/mime/mime-dec-parse-odd-len/input.pcap b/tests/mime/mime-dec-parse-odd-len/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..e1b7326cb0f8f63723be8852209b08ceff86c8e1
GIT binary patch
literal 1751
zc-oDW-%{E@6o*5!+S1Z8z0>K%8Lm1?B8i}F{4;=nVnGyAb(mf>fmK!^$s`*Kz41A`
z>?`yY`U-uOUek@cQAbHj;5R!<IN$j=N%;Ni=MPbs6~bdYX6xdgcVB}w%Old11tB8{
zc_BY12-kuT3v!bZ7LvTy5m~i3J08boX66G%Yzl_3aFYUhj&fqo+oz16F3rOk?;|{7
zloLBlGDc84!@hqTUR#LhA4@){Rn-jivE>g<dkC$%eh4lyx}!uqfCl5*;Nj5qe+Vsx
z(7kf4aYtpSXVcGTk>Zkfez^=ZJ~75zfac+hQiM*Da#A6qUZ~cf(rnbVO=1%}e?Bm9
zU+&n0ZN{CS-YrGh=}B(S>AuFp8G8|KY06m&8O@zT9rT8_sjREAvL=62Wi=m;j{Cis
z-fxNWYm@xq!JdaR<OshS<)|T}RL~2I@RIJn@NmLugoR2e&5*E~%YsJ?mq0Lfz?S0^
zkR(7>7rtTAgUy|0t+Fk%h4p$x>slfU>m@cKY@4*7d1q@7q(Q~SX;2j?I4-Cebrmu>
zP047hYp|T5M<QNv?STfty#P<|2;J6T(#1%`TfTXLIz$7#hdrQg0|@d6prAStuUG43
z=@_{lwk?W~X`>z6BFG|=K60qn!0!|6&`GQe@DO!3z_fj<Yq+DW)bjo%^82T)dbgdm
z%cY~#eQgPQj_qM`OT`w|L5X<qlBCB~j~fy+Br8tez}5zIdWP#EvgMOA>BE2NlYiml
zo@|;edOeY=u=zDn2RoSZm1w00XI#Vb&X6mWt&ZKr*0~0z;i0wct;tEBv|Gi?_Q}Cj
zd$;emM@4WtqvCgSRBV8*9G$nVWALl3;(m4apl1$pSKY#7RY?jym)R|rnEs(MlY%&!
j^iaK?`k@j>lyea>jy_j)MtC#5#Ra8Y-~VkZw-$c^>hx&B

literal 0
Hc-jL100001

diff --git a/tests/mime/mime-dec-parse-odd-len/test.yaml b/tests/mime/mime-dec-parse-odd-len/test.yaml
new file mode 100644
index 000000000..f9049447d
--- /dev/null
+++ b/tests/mime/mime-dec-parse-odd-len/test.yaml
@@ -0,0 +1,46 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1
diff --git a/tests/mime/mime-dec-parse-rem-sp/README.md b/tests/mime/mime-dec-parse-rem-sp/README.md
new file mode 100644
index 000000000..e70e497d4
--- /dev/null
+++ b/tests/mime/mime-dec-parse-rem-sp/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseRemSp.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487
diff --git a/tests/mime/mime-dec-parse-rem-sp/input.pcap b/tests/mime/mime-dec-parse-rem-sp/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a4c57311343264bfd716c2e7eebc0e2534a5569e
GIT binary patch
literal 1750
zc-oDW-%{E@6o*5!+S1Z8z0>K%8Lm1?B8i}F{4;=nVnGyAb(mf>fmK!^$s`*Ky=b4q
z%f3Qip|8+a={4QB8+DYl1b(x#g!7$`lZ4;De*O@JSs^^eW412-dGk3~vpgbASr9UU
zkQefEg794sVnMD`!a|bQIwGqUXUF5%%*=eih)ux|7Oqo3&rwdydHt9X)TMbi<86dT
zjB;X!NyZ3jXV~{|!fOi={bR{{wW^wdKDPX!X%C@Q*AKx(Mt78m2hd<#8$2Ak{tuzW
z5V}{cHEyX4^<?__EK*$Z)-RWV#s|ij3(!2AQHsz>Qcfyl)C<)bRGN*twn=Pa=g$WQ
z?#mr}u+6yh)4Qc8J3YzmDc#q2IAbruEloK~A)~o-sDs|nHkEZ%R@UVAs;uV2(Q&_L
z)B7z^er=LpJlOMah8*EnqZ~D4lnQ!*5uVfCCmv2Xjj&KDr5O@db6N0+;SvbO4%l*h
z0+IyC>cSUHda$|EtW~yUwy<6=g2{+1te1EYVcVqr%v)Q7APp)mPJ^mI!Er&&sH>34
zX-Y<0U4!KeJrePXYY#LC?ge;!N9eW&lP*Rg-tx^0)FB$^J?sH}8$ggp00q^Fc)eOL
zOUKCdux(L<OdIXk7C{z~^pQio27aGlhfZQ;fQP8N0jBL+UBex1rIz<Ek>5XU)w}Ji
zT`nD^?rKZeb8HWj8!EP_4obv>mn1!`df1SlAz5+y2DUb!(=%KTku9H`N$>tkpZp6a
z_hi#-(d&s^h0U*tI@rOKuS6@|JL4LbcZOW4Y<27|w$3#$4G*nlZ%j`5q}?iBwoeYO
z+Pi(fJt{gK7!|*oqhdo>j?UZGv0rT!_p7@HJ#&z|>Ox_%sU!uT%j^zIO#e)oNkJS=
jdZu1Z{Y;5N%DD&`M<1&?BfOg4;(}7X-TiATHx_>ZhKOjK

literal 0
Hc-jL100001

diff --git a/tests/mime/mime-dec-parse-rem-sp/test.yaml b/tests/mime/mime-dec-parse-rem-sp/test.yaml
new file mode 100644
index 000000000..f9049447d
--- /dev/null
+++ b/tests/mime/mime-dec-parse-rem-sp/test.yaml
@@ -0,0 +1,46 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1
diff --git a/tests/mime/mime-dec-parse-small-rem-inp/README.md b/tests/mime/mime-dec-parse-small-rem-inp/README.md
new file mode 100644
index 000000000..ca2e72536
--- /dev/null
+++ b/tests/mime/mime-dec-parse-small-rem-inp/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseSmallRemInp.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487
diff --git a/tests/mime/mime-dec-parse-small-rem-inp/input.pcap b/tests/mime/mime-dec-parse-small-rem-inp/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..1b4b1bed3397c0d4c2dd551baa6863692460fa8d
GIT binary patch
literal 1757
zc-oDW-BQ{>7=}Z%wWXzHdZyEZZ#e2Gi6nxy@n--5#eyirpE5mY0;{Y-l1Vledg4(p
z!o%J|Z=tu)Tj?>~up4z0S~k41vxN8g-hA2R_phHnL}6A4$8gBzg+Fh<1aq28q$&zR
zN)WO__NgFT3qmB&O+uKDbFU*Zw>Uc-MrLN_0!CyChA@AV0D6ydBF>w~jKG)V;*56_
zazrR6au8>Xz&pc!KN9!mCe)9_?|D@<1zl|UebeqkqpBZ(i;VUl77d_5yVkilbnPF3
z7DDK5u~NIGGSrjl`?ElC@!Ncv6x2R4#?t`J#TkVOapIJd2pQE}xdNqnt*UJho7ma&
zo`Jh^%kFJ4?%ed*5|o`Bm+cu{SGYK1cS5!#<t&Db`u2eidQIC<)>K(pl|QJmnhjgW
z^F5zF-y-E##^s9!Yc9@^C*-S8jv6uwIX%Y+FX-ws7bl!fNTE_nJtVAT(%=!pB@nb7
zu;us!Bngn!hOd}(U}L*pDQ(GYVzpjU-zSlY)e?^;q^;9>=51PoAPq_`PJ*gH&T&Ca
zsVk7mXi7?3S%sw(9kFQ1wR;)_djTHr2;J6T+{=hX8@_pgT0{fAgFT=h0|@d6puioA
zR?F3*bc|dN+ZIL0w9vL~5o8fbA2>8u&+iiK&`vD(a38hT!L)s=ZMcKY#M0g+^1G*v
zYP*@Xi-p6)owtBJ$M!H8QL#nipjb4xB<Z2+VL^iWWZCH&*jk5H$8bGFHhpp?z5g$L
z{1c9^$-3E~?-RKS>t7wUu!AXInH=ff9oMkDGvrD|t7W&bb*_PFcxW{}N^;UA%|`yR
zd9r`i-0AwwK^~meApgxA<ZGZShv!Y}82oZ0zgOPb@0h*JRh#bE93A5WOH%N?%r;tV
q`lDsW1@U^^(RwxY(GssI=OSbr9+h=Qcs+fJ3rhKZ_vfvQQv3zYDrx}$

literal 0
Hc-jL100001

diff --git a/tests/mime/mime-dec-parse-small-rem-inp/test.yaml b/tests/mime/mime-dec-parse-small-rem-inp/test.yaml
new file mode 100644
index 000000000..f9049447d
--- /dev/null
+++ b/tests/mime/mime-dec-parse-small-rem-inp/test.yaml
@@ -0,0 +1,46 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1
diff --git a/tests/mime/mime-dec-very-small-inp/README.md b/tests/mime/mime-dec-very-small-inp/README.md
new file mode 100644
index 000000000..2a5c41e3e
--- /dev/null
+++ b/tests/mime/mime-dec-very-small-inp/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Adapted using data from a previous specific unit test for MIME in Suricata MimeDecVerySmallInp.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487
diff --git a/tests/mime/mime-dec-very-small-inp/input.pcap b/tests/mime/mime-dec-very-small-inp/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d217b5124e8f1db3ac72d40fa6ea82b09b4ff014
GIT binary patch
literal 1754
zc-oDW-%{E@6o*5!+S1Z8z0>K%8Lm1?B8i}F{4;=nVnGyAb(mf>fmK!^$s`*K9cMbz
zxA3yB&{yay^i_IIH|(O0l9s@4G9jGre4Om^``6DOqA)9rkKvG=7yrEZ9GufUB27^c
zQi6~bvU7s)O%NhMZW6*moYy)cs}^U6!^q6ce87lI!4MX15<u@!PQ-crm=V+^c{t;3
zh)0BSB8PFt2x@28_ebHixsd*m_`O<HO+go1e&4kF(5UK%;3A_vh(!ZvFs=<A4qg9;
z(Bc@nSFF@-sSNdG`uQwUT>REAlY-g@#+VDxJe*Mo(TP(|V$7)K$`vTpYgKKN*u>7B
z_YB;XTXt`oap$LZOHg)llG{^yUE$%3y%4t~<t&XE^_@c<^qRJ*tgEuJCcjr@H9H<1
z_j@+I-xB3lCiz8!YaY&!L;Na~qmCJcoStKZ=k)3m4=0?4Sg4dz9}`wHY4C{Q5(vf)
z*m8UVk_5<V!xv0Cu(?yOl(uDdV!d9_x?_=r^%CnLwsqRiytOq5(xBwxB&Z7H92eA-
zx(ca`rlhphHCRs3BNi>Wc29#~Ex_Xyq1zfvdKj^2!#6Kbi)f&Cum|*Q06`uB6jaBe
z)pE5c9V6GnwnY&#ZM0)s1X)DV2M+b>`CWn?I*FAY?xXewn6_`V4R^4WSl+)xe)qId
zZ8y_)v2c{Qt1V#9u{}&iRBTZl6pIEgNqSiIupvQxvf^|NY;8cRW4In7TRu6H-u;(8
z`4>*^$)?$$&l9-{n_nHZu!AXI30Jyz$2BbP47pO#YT0dUooiqk9$HI}OisF_*~niu
zPY$k{yIsFI$b-`w<iDDOd<}Hv=)7qigI{js_shEn9kZ9Yq6^l@O}3S!;B%R+ve@+d
o%8U!*^`w3Ea_W60UQ^D+m~r&6tTV!^=`AiO<@?<~w=%N$3nr{-DF6Tf

literal 0
Hc-jL100001

diff --git a/tests/mime/mime-dec-very-small-inp/test.yaml b/tests/mime/mime-dec-very-small-inp/test.yaml
new file mode 100644
index 000000000..f9049447d
--- /dev/null
+++ b/tests/mime/mime-dec-very-small-inp/test.yaml
@@ -0,0 +1,46 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.from: toto <toto@gmail.com>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <toto@gmail.com>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1
-- 
2.47.2