From 2a2713e45ced5d06bdb96f03e827b55b7a3a9b1f Mon Sep 17 00:00:00 2001 From: Alice Akaki Date: Wed, 9 Apr 2025 17:47:21 -0400 Subject: [PATCH] detect: add test for email.received keyword Ticket: #7599 --- tests/detect-email-received/Makefile | 3 ++ tests/detect-email-received/README.md | 8 +++++ tests/detect-email-received/input.pcap | Bin 0 -> 5653 bytes tests/detect-email-received/smtp.syn | 32 +++++++++++++++++++ tests/detect-email-received/suricata.yaml | 29 +++++++++++++++++ tests/detect-email-received/test.rules | 3 ++ tests/detect-email-received/test.yaml | 37 ++++++++++++++++++++++ 7 files changed, 112 insertions(+) create mode 100644 tests/detect-email-received/Makefile create mode 100644 tests/detect-email-received/README.md create mode 100644 tests/detect-email-received/input.pcap create mode 100644 tests/detect-email-received/smtp.syn create mode 100644 tests/detect-email-received/suricata.yaml create mode 100644 tests/detect-email-received/test.rules create mode 100644 tests/detect-email-received/test.yaml diff --git a/tests/detect-email-received/Makefile b/tests/detect-email-received/Makefile new file mode 100644 index 000000000..56a83ff51 --- /dev/null +++ b/tests/detect-email-received/Makefile @@ -0,0 +1,3 @@ +input.pcap: smtp.syn + flowsynth.py -f pcap -w $@ $^ + diff --git a/tests/detect-email-received/README.md b/tests/detect-email-received/README.md new file mode 100644 index 000000000..1a35343fc --- /dev/null +++ b/tests/detect-email-received/README.md @@ -0,0 +1,8 @@ +# Test Description +Test mime email.received keyword + +## PCAP +From created with Flowsynth + +## Redmine Ticket +https://redmine.openinfosecfoundation.org/issues/7599 diff --git a/tests/detect-email-received/input.pcap b/tests/detect-email-received/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..e911564e86b70ea57a9696962d8e47ed56b93001 GIT binary patch literal 5653 zc-n=S2~-nz9)Jfz)qtWMNmT+B^U@K0TV&-qTY&t zg;qtNt`~=(s9Z%s6ct&evevHF)p}45o=4rav?}{QCOam^N#ysyf%oyv7n1oU-Di%L zS`t=-{?^}55EkHbwaf2I+VZ%>MDR77-STVKZQ@?KJij_hH;9-<5H9e?{0C?*T7a7+ zxD7u>IDsFuh7_?SNoWRQifsWyx%7wY$imqC={>oPKNwOV0g?zOz#)hPFg9X)l2GSi zisMd(a+c%%@?lR?|LSVqCRP_4FqC*0pyXr9&ab%y1rLI8wf5V7&f&(AlV#WN8Aa2S zT}Cbxav4Dq0uDh4g?v(-tVxYmNE3O&S{-+8;XY9+pBLTJiilN2D9y$v)K@!erlK3{;6qL^AOofNy;?qXa=*NkvlxXY6B zW>r=*Ys3*?YLTlKcKs)yM8kk!k}faa;a4qxHgjMUri9XzLnbM}bwCk8%nAq%BZDKt zXL*ypNKxyrH|3=-oq}bXb~Cas>OAC5R=Rl&8wSi}4OU)M)09?|6d+sRgTj)^rPwL0m~k34v1-xI0p1eblvP7n15O6hgq&=# zlh0l*A%+idFzXg@w)2ZWa?NR)>x?K#!KP7OqZKc z!dS+LG8fHWKIY-Sb2~#=%Qb)R?vcPFrx!xUJ~$*^2+ zDdQ9{yyMiXf=}vJKMX#?S}qby8*+MrolcZ-2?;m|=gMQ-NzPk1mf6cLbs$PGO{p+R z0Zy@hykCyeN|RF+)I0UQ{*E!d-L|N2TWgH#-CL`&SnIWcNkgXpz@~HeG4-y#)!F@0 zICzPplImxzhbh1`|2M;W6aUUQeR?eEq%u$R>yv`o%dGX%;I#rdox@IjfD!=?!trfh zGf;eeuWiZRalMEVL{q9vQh<{%;oW*N8Q(;^`}-NsjC%jIlV1Mk(`7C`&aCY&f!T^Y z4`a{62bgyEot`*s&-F~cW$PWm+744-yUT{{HXdZ0#{QY*8tzu!v}11cLDqI#!E__1 zGVBy~h-r7@mzCPvdEGz8xaG#Nw!;*7(epQKCos{@=P=_beDu@Q9~anW+&%JLFKfGQ zFo%%mSJ=~{oN0GUY^B~7+aBROW{@LmJ4}J?$_?AyD`%XBmJ4gsTGp0{V_Lgd+Z_UP z6FIHKP6sQPcK1HB(s;(rd6w0x?qF?)DZq*EY}ig{qFr6(JAZc_GkCiezjb)?dDh=p z+uej)5b})2p6jZZcI{m~zsDBXgh?~1e`0NiDX`so!*=mU7^gK6bDhE-ciPU`TrXv9 zcNQi>PBGYNY&Dngg^yP-`8nFZO4CmJ_Bg8Wnek{!n@I|Ax^xNz4v++3BTfxtB(hA` z=-hYYHgGE)SS#HF(}9d6*r*dw66o!+VdkvA*mW%Jyz`jPLzF0*vfCsD7zNKD2oI4b z8L5$~G$dS9NO?+Xy2gj3QWD5za!n%X8yFE5JcWlpVe_h^jQRD+3kH4p`oC^htTO6Z zTXujY+#Z>a!{(}ETw*5p2AmPTz@kx|S<4sB^ zwT7Gq^|4@dEh89tF1j&bOLj}E%N-xKv=;X83WEggu;A$9T%sNvgyU<|*r$6S+3$D$ zXegqT)0F8(g17a8Ay2^rg_2S73@X8!T&x0%v`itVQZzh;QYKZ9E(ZUbFW~dwKSA8* zWV{Zo<2)6mkm>|z1xNP;-oxbyB>sjpUgkqe64TvC0iO&=RgprzP(%uZ-h4jzAl>=k zhI2TaU~+u4qPu8oaY{wc_`+m!IV@x_N7^==;|8Fd1_U_yef=?G%bb2LE$dx}C`W0E zzhMpwnLdZJ`+GTzPtwKs!2hH0jjIShR7I%OE&o6jfl-zElS~y=g?wa)R9jc;xzWpP zm0ncE3RlUlM%NbGn8Fo_crQLdQ+$o8^y;e&QL_AF zfigm)GO~K6Op=GxhMfA~>8!3j3FgXJX2LS58Mus~fw|7S zZTERpwrIzTCb!brY}XmfOnsRpv0#M+J=k88*f%nsA6x917xentqukc!Yi2zQkth9} zKDdcXECK{Ln@`I363dg`4D8G7LzD=bQexy;sP`0H1pBY@z183C!yD~`CdQgPpuO7? z>gs%8o|m;*>lS3q$JUkKbBSy~fYaC-pEG>I5LtNv=P9D3(UjFj)-8JLE^ze-lzEe2 zZ+w4wbOVP4@9#zMu<%2d{0+^_Njbz%nA&+I@TA@4L!RbNien8=O4)-?D(DoKSO^Gk zbT2A60m1bzIyO1(K$O`urPT1GIM(`;a(@m^N|~Yo&#LYcT`J{GYACH{LaIV4Pw^pT ziBgrC(tI&T66`(+OMiBnkzO&>@A8qIn)_4SgKn9X_CV6jSo$uYOacTrp=piko_oVp zMf=M3B8n?bId3HGp_h&aTQ;`2(8Aapf5rc}CTetulUV!2tc?iSG+~?Vt;}n(KR5Jl zt{L@uzIx&LVz$?09Fg8;a}_~^Pzr_8jnpK{)g<_kf{NhkN}+c#uxZK}#?)>w@Ajzp z&CB|0er+*pieAwwi?Qj1HZFP@4d<({u^HiR`;(LMU;hhH#?zE`BhyH|sTbI=X&w8s zjE+m^y)R$b@+W&;{2|?}P88DFg>`NMN;n|EIa(pojuoq|d-#Qe5hZ}8)R?3Ioo5pL zy6H`(rBmrt0x4C4Csz+o5teK|$4KTzsY;R_R*v@yIi_ISnK)74SByuJYp~>+c4q&y z%bS07`GoLKo({JNVB0@w3Xp6Em+skfLM7N}$@zEQ#1!y@7W`a1dA&nUE^D^&fESC5 zvapfp0`pc`XLQ4coTVFw&Ey1Uvb|MCQ-IO(Gw|(40cq~7ve1i+tHtAzkbSSlRL&Rs QJ!h>4t{@gOkt_J>e 2.2.2.2:25 (tcp.initialize; mss:9000;); +default < (content:"220 smtpblah.mailserver.xxx.com ESMTP AAAAAAAAA";); +default > (content:"EHLO Simone\x0d\x0a";); +default < (content:"250-smtp001.mail.xxx.xxxxx.com\x0d\x0a";); +default > (content:"MAIL FROM: \x0d\x0a";); +default < (content:"250 ok\x0d\x0a";); +default > (content:"RCPT TO: \x0d\x0a";); +default < (content:"250 ok\x0d\x0a";); +default > (content:"RCPT TO: \x0d\x0a";); +default < (content:"250 ok\x0d\x0a";); +default > (content:"RCPT TO: \x0d\x0a";); +default < (content:"250 ok\x0d\x0a";); +default > (content:"RCPT TO: \x0d\x0a";); +default < (content:"250 ok\x0d\x0a";); +default > (content:"RCPT TO: \x0d\x0a";); +default < (content:"250 ok\x0d\x0a";); +default > (content:"DATA\x0d\x0a";); +default < (content:"354 Start mail input; end with .\x0d\x0a";); +default > (content:"Subject: Test Email\x0d\x0a";); +default > (content:"Received: from client.local (client.local [10.0.0.1]) by smtp.relay1.com with ESMTP id relay1abc; Thu, 10 Apr 2025 12:00:00 -0000\x0d\x0a";); +default > (content:"Received: from smtp.relay1.com (smtp.relay1.com [10.0.0.10]) by smtp.relay2.com with ESMTP id relay2xyz; Thu, 10 Apr 2025 12:01:00 -0000\x0d\x0a";); +default > (content:"Received: from smtp.relay2.com (smtp.relay2.com [10.0.0.20]) by smtp.destination.com with ESMTP id final123; Thu, 10 Apr 2025 12:02:00 -0000\x0d\x0a";); +default > (content:"From: \x0d\x0a";); +default > (content:"To: , \x0d\x0a";); +default > (content:"Cc: cc0 , cc1 , cc2 \x0d\x0a";); +default > (content:"Content-Type: text/plain; charset=UTF-8\x0d\x0a";); +default > (content:"\x0d\x0a";); +default > (content:"Hello, this is a test email.\x0d\x0a";); +default > (content:".\x0d\x0a";); +default < (content:"250 ok: queued as 12345\x0d\x0a";); +default > (content:"QUIT\x0d\x0a";); +default < (content:"221 smtp001.mail.xxx.xxxxx.com\x0d\x0a";); \ No newline at end of file diff --git a/tests/detect-email-received/suricata.yaml b/tests/detect-email-received/suricata.yaml new file mode 100644 index 000000000..ae9468a98 --- /dev/null +++ b/tests/detect-email-received/suricata.yaml @@ -0,0 +1,29 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filename: eve.json + types: + - alert: + tagged-packets: yes + - smtp: + custom: [received] # for 'received' logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + - stats + - flow + - stats: + enabled: yes + filename: stats.log + append: yes + +action-order: + - pass + - drop + - reject + - alert + +exception-policy: ignore diff --git a/tests/detect-email-received/test.rules b/tests/detect-email-received/test.rules new file mode 100644 index 000000000..2e78973da --- /dev/null +++ b/tests/detect-email-received/test.rules @@ -0,0 +1,3 @@ +alert smtp any any -> any any (msg:"Test mime email received"; email.received; content:"from client.local (client.local [10.0.0.1]) by smtp.relay1.com with ESMTP id relay1abc\; Thu, 10 Apr 2025 12:00:00 -0000"; startswith; endswith; bsize:119; sid:1;) +alert smtp any any -> any any (msg:"Test mime email received"; email.received; content:"from smtp.relay1.com (smtp.relay1.com [10.0.0.10]) by smtp.relay2.com with ESMTP id relay2xyz\; Thu, 10 Apr 2025 12:01:00 -0000"; startswith; endswith; bsize:126; sid:2;) +alert smtp any any -> any any (msg:"Test mime email received"; email.received; content:"from smtp.relay2.com (smtp.relay2.com [10.0.0.20]) by smtp.destination.com with ESMTP id final123\; Thu, 10 Apr 2025 12:02:00 -0000"; startswith; endswith; bsize:130; sid:3;) diff --git a/tests/detect-email-received/test.yaml b/tests/detect-email-received/test.yaml new file mode 100644 index 000000000..334e13c60 --- /dev/null +++ b/tests/detect-email-received/test.yaml @@ -0,0 +1,37 @@ +requires: + min-version: 8 + +args: + - -k none --set stream.inline=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: smtp + email.received[0]: "from client.local (client.local [10.0.0.1]) by smtp.relay1.com with ESMTP id relay1abc; Thu, 10 Apr 2025 12:00:00 -0000" +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: smtp + email.received[1]: "from smtp.relay1.com (smtp.relay1.com [10.0.0.10]) by smtp.relay2.com with ESMTP id relay2xyz; Thu, 10 Apr 2025 12:01:00 -0000" +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 1 + match: + event_type: smtp + email.received[2]: "from smtp.relay2.com (smtp.relay2.com [10.0.0.20]) by smtp.destination.com with ESMTP id final123; Thu, 10 Apr 2025 12:02:00 -0000" -- 2.47.2