From ec560e045d3aa5bf749fb0dc12b1ff75e71b914b Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Wed, 7 May 2025 11:13:34 -0600 Subject: [PATCH] tests: lua smtplib rule test --- tests/lua/lua-smtplib/suricata.yaml | 19 +++++++++++++++++++ tests/lua/lua-smtplib/test.lua | 21 +++++++++++++++++++++ tests/lua/lua-smtplib/test.rules | 1 + tests/lua/lua-smtplib/test.yaml | 14 ++++++++++++++ 4 files changed, 55 insertions(+) create mode 100644 tests/lua/lua-smtplib/suricata.yaml create mode 100644 tests/lua/lua-smtplib/test.lua create mode 100644 tests/lua/lua-smtplib/test.rules create mode 100644 tests/lua/lua-smtplib/test.yaml diff --git a/tests/lua/lua-smtplib/suricata.yaml b/tests/lua/lua-smtplib/suricata.yaml new file mode 100644 index 000000000..7062f81bf --- /dev/null +++ b/tests/lua/lua-smtplib/suricata.yaml @@ -0,0 +1,19 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - flow + - smtp + +app-layer: + protocols: + smtp: + enabled: true + mime: + decode-mime: yes diff --git a/tests/lua/lua-smtplib/test.lua b/tests/lua/lua-smtplib/test.lua new file mode 100644 index 000000000..9dc0c07c8 --- /dev/null +++ b/tests/lua/lua-smtplib/test.lua @@ -0,0 +1,21 @@ +local smtplib = require("suricata.smtp") + +function init () + return {} +end + +function match () + local tx = assert(smtplib.get_tx()) + assert(tx:get_mail_from() == "int@smtp.lab.com") + local rcpts = tx:get_rcpt_list() + assert(rcpts[1] == "test@gw.com") + + local fields = tx:get_mime_list() + assert(#fields == 2) + assert(fields[1] == "Content-Transfer-Encoding") + assert(fields[2] == "Content-Disposition") + assert(tx:get_mime_field(fields[1]) == "base64") + assert(tx:get_mime_field(fields[2]) == "attachment;filename*0=smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13;filename*1=ddf80e995fd98ae442f3be499ea928c67f..zip") + + return 1 +end diff --git a/tests/lua/lua-smtplib/test.rules b/tests/lua/lua-smtplib/test.rules new file mode 100644 index 000000000..800444428 --- /dev/null +++ b/tests/lua/lua-smtplib/test.rules @@ -0,0 +1 @@ +alert smtp any any -> any any (file.name; content: "smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip"; lua: test.lua; sid: 1;) diff --git a/tests/lua/lua-smtplib/test.yaml b/tests/lua/lua-smtplib/test.yaml new file mode 100644 index 000000000..9ea5b0f1e --- /dev/null +++ b/tests/lua/lua-smtplib/test.yaml @@ -0,0 +1,14 @@ +requires: + min-version: 8.0.0 + +args: + - -k none + - --set security.lua.allow-rules=true + +pcap: ../../smtp-rfc2231/input.pcap + +checks: + - filter: + count: 1 + match: + alert.signature_id: 1 -- 2.47.2