From 1a6a4581257fec3b59bf187a55570b798ca446f3 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 4 Jun 2024 14:41:58 +0200 Subject: [PATCH] smtp/mime: adds test for url extraction in base64 message Ticket: 5185 --- tests/smtp-url-base64/README.md | 12 ++++ tests/smtp-url-base64/smtp-url-b64.pcap | Bin 0 -> 4904 bytes tests/smtp-url-base64/smtptxtpcap.py | 77 ++++++++++++++++++++++++ tests/smtp-url-base64/suricata.yaml | 20 ++++++ tests/smtp-url-base64/test.yaml | 12 ++++ 5 files changed, 121 insertions(+) create mode 100644 tests/smtp-url-base64/README.md create mode 100644 tests/smtp-url-base64/smtp-url-b64.pcap create mode 100644 tests/smtp-url-base64/smtptxtpcap.py create mode 100644 tests/smtp-url-base64/suricata.yaml create mode 100644 tests/smtp-url-base64/test.yaml diff --git a/tests/smtp-url-base64/README.md b/tests/smtp-url-base64/README.md new file mode 100644 index 000000000..b24b59b04 --- /dev/null +++ b/tests/smtp-url-base64/README.md @@ -0,0 +1,12 @@ +# Test Description + +This test finds URLs in SMTP base64 message body + +## PCAP + +PCAP comes from https://redmine.openinfosecfoundation.org/issues/5185 +With the script `smtptxtpcap.py` to put the stream into a pcap (adding some dummy beginning and end of communication) + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/5185 diff --git a/tests/smtp-url-base64/smtp-url-b64.pcap b/tests/smtp-url-base64/smtp-url-b64.pcap new file mode 100644 index 0000000000000000000000000000000000000000..4ce6b3862e5fa413d8425a7eab690c21332c798f GIT binary patch literal 4904 zc-obgO-v(Y7{`b1X5*4r7cOvd^M-g(zAXKslrB`tdsD74dVJB3!` z2M6|p1P^-9bv?KTy|4$Oa@i%(jb2F9gYlpTF2-*UW;NOD3QK+7w;$7i&Nx$e)28tL zp5Oo9ndyA@#mBdF)JaNwlwOY(=VC2?>8T-jjh7CVo1zBs@8BtldYz&g@Vd8jdhgNd zoiljPmabSlG{gU%eBt|s6DLkJG(6GR^XaOGP<16HtAcrY@7~gu_37)tZQ5!+&U~>Y z_zvb)m}y|zfMpYzW*N^W;I6-MruEOmXW`AVALe1sD=Ii;w{^^_gG=LY6j3m%@hI5FV+B-5yqL4OucxM9|CGp?RODdMkt*js z%rROFXp~DNQk}B8pYN;g)diytK==2WUVV5J=6rpi#|HpeWzMuBrxiFpDTj7?d}ui6 zr|ph>K0jDTd4M?Y9jLDO0OrjfsTfz|!<_ZUdfX{lWsYBwgDZAPIk;lt4R%R}k0OR; zxwODVONZ@^$Exd{-?E-vUyS{OWbaVvG3 zIaJ&2*%laftyZ|U+g;$miA7eK<5A>b;d95k?eKe1kYnR%d@LZpmq`9_sJhi_FrZVe z)go|UCRt@ppCSiKc1bxy&XBWoWi6_1t`mS8a?P~^CkgwLA}6lM!BVqQj>%$1lLC_w z5PZ4`6z9`9p%Za%c#_L%o5K|xaQKD?x+^c*5F#P0Mb*u2fB*v_eyi8)Gt^W6d-alV zT7ffC<|Yf*ugb{oR%I_sWoa&(W#+jq&yXEC ztfrXJYPB+q&1N;5xL&5mYGHdBi=o$SG;%hxB*|nhvdFQ59r5@j%5rTn#oM4dzPm0$eG&LWMMkKaafd{DP27^f$5#4BS`<=h|{YtjpF$ z#II`;@0SyQ6F4)le@5h7kP+{%ijT>NXBa*k<1$@to=rvL{Jb4S;10=ZCdO}TGoA(G zU+NjZ3mmxAkyYkcWQ=F4#?MKOiO~Dngy!UgZUJWv_OFSYRT-hVs!&cUmzrdR4 zK2OphkZ@bt!aam=Kh+Djtv=jCxp3jB@x_SgLN4m^bc~12_Z(dTS6?Ztif0n;j;3%s zZV2~dy>OoaN8KI5j=LJJOBxP~5veb=NsY-#?W#U`cg7S?-fy%CdF6z@1&$r|+eMC5 zM#x(gYL^O??w9EXO-8hw(M90EcL!NzPFRuC3LIL>soZ`hOW&2~a*oS!Q4~vMP?Sr= z;qJLml1{3SF2|=~;Fa31kxG2b$*T{4g-AEm55K0(=c=5~TRM%Lruv)@b*gh+1=e`I G5A{C}4Dbj5 literal 0 Hc-jL100001 diff --git a/tests/smtp-url-base64/smtptxtpcap.py b/tests/smtp-url-base64/smtptxtpcap.py new file mode 100644 index 000000000..4c8f0bcad --- /dev/null +++ b/tests/smtp-url-base64/smtptxtpcap.py @@ -0,0 +1,77 @@ +import sys +import binascii +from threading import Thread +import time +import socket + +# Create a pcap from a htp test file +# Launches a server on port 8001 +# Launches a client in another thread that connects to it +# Both client and server read the htp test file +# And they send and receive data as described (without analysing it) +# So, you need to capture traffic on port 8001 while running the script + +class ServerThread(Thread): + + def __init__(self, filename): + Thread.__init__(self) + self.filename = filename + + def run(self): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind(("127.0.0.1", 2525)) + s.listen(1) + conn, addr = s.accept() + f = open(self.filename) + state = 0 + sending = "" + receiving = "" + + for l in f.readlines(): + if len(l) > 4 and l[3] == ' ' and l[:3].isdigit(): + conn.send(bytes(l, "ascii")) + print("server sent", len(l)) + else: + data = conn.recv(len(l)) + print("server recvd", len(data)) + + conn.close() + s.close() + f.close() + + +class ClientThread(Thread): + + def __init__(self, filename): + Thread.__init__(self) + self.filename = filename + + def run(self): + time.sleep(1) + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect(("127.0.0.1", 2525)) + f = open(self.filename) + state = 0 + sending = "" + receiving = "" + + for l in f.readlines(): + if len(l) > 4 and l[3] == ' ' and l[:3].isdigit(): + data = s.recv(len(l)) + print("client recvd", len(data)) + else: + s.send(bytes(l, "ascii")) + print("client sent", len(l)) + s.close() + f.close() + +t1 = ServerThread(sys.argv[1]) +t2 = ClientThread(sys.argv[1]) + +# Launch threads +t1.start() +t2.start() + +# Wait for threads to finish +t1.join() +t2.join() diff --git a/tests/smtp-url-base64/suricata.yaml b/tests/smtp-url-base64/suricata.yaml new file mode 100644 index 000000000..19e25ecc9 --- /dev/null +++ b/tests/smtp-url-base64/suricata.yaml @@ -0,0 +1,20 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + types: + - smtp + +app-layer: + protocols: + smtp: + enabled: yes + mime: + decode-mime: yes + decode-base64: yes + extract-urls: yes + extract-urls-schemes: [http, https, ftp, mailto] + log-url-scheme: yes diff --git a/tests/smtp-url-base64/test.yaml b/tests/smtp-url-base64/test.yaml new file mode 100644 index 000000000..f2134c12f --- /dev/null +++ b/tests/smtp-url-base64/test.yaml @@ -0,0 +1,12 @@ +requires: + min-version: 8 + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: smtp + email.url[0]: "http://codashop-free01.duckdns.org/" -- 2.47.2