From 5d7fae856e472ac1017896b9776d2a6d628133a4 Mon Sep 17 00:00:00 2001 From: Modupe Falodun Date: Wed, 2 Feb 2022 16:02:11 +0100 Subject: [PATCH] detect-file-data: add tests for SMTP file data Task: 4938 --- tests/smtp-file-data-01/README.md | 7 +++ tests/smtp-file-data-01/input.pcap | Bin 0 -> 26387 bytes tests/smtp-file-data-01/test.rules | 1 + tests/smtp-file-data-01/test.yaml | 74 +++++++++++++++++++++++++++++ tests/smtp-file-data-02/README.md | 7 +++ tests/smtp-file-data-02/input.pcap | Bin 0 -> 27850 bytes tests/smtp-file-data-02/test.rules | 1 + tests/smtp-file-data-02/test.yaml | 74 +++++++++++++++++++++++++++++ 8 files changed, 164 insertions(+) create mode 100644 tests/smtp-file-data-01/README.md create mode 100644 tests/smtp-file-data-01/input.pcap create mode 100644 tests/smtp-file-data-01/test.rules create mode 100644 tests/smtp-file-data-01/test.yaml create mode 100644 tests/smtp-file-data-02/README.md create mode 100644 tests/smtp-file-data-02/input.pcap create mode 100644 tests/smtp-file-data-02/test.rules create mode 100644 tests/smtp-file-data-02/test.yaml diff --git a/tests/smtp-file-data-01/README.md b/tests/smtp-file-data-01/README.md new file mode 100644 index 000000000..b6b28001e --- /dev/null +++ b/tests/smtp-file-data-01/README.md @@ -0,0 +1,7 @@ +# Description + +Test file_data keyword against smtp + +# PCAP + +The pcap comes from https://github.com/cisco-system-traffic-generator/trex-profiles/blob/master/Mellanox/Traffic_Mix_v1/pcaps_for_application_mix_v1/SMTP_IXIA_98P_253B.pcap diff --git a/tests/smtp-file-data-01/input.pcap b/tests/smtp-file-data-01/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..b3c8f537200390c2504a8d6473d9f77b9cb0ea41 GIT binary patch literal 26387 zc-p0X378yJx%MOwz#)mFC|8vdNovcpYATEx~i?J zPNxB35OG5=C>P`cihu$l5JcG(B(eyyJRr*B#v(2ky`ulU0>Tyl_x;W}olG+Jf1l@P z%Sg$* zz1sTP+E&c_^6_oX9^aljW5#3q&Y1bVH{SkC+x}N&z1T5%tiZOPRV;cIz{pfD_=`a9Y@Jm29!$aZTr9dnKSmdV-BQ0v*n%pUg;mR zqvYq0rS$zDx#Jj0eh(z~Lu&tYYhF6Qu5@yeXpGJhL(E$;qIA~ym;|KCsxrW6)jk_ zaIsohT$xsz-AdJ0X)j2eAuk_=aac^8zR{tv5of47JLrt!^Il%1oRd@(dttE3IXb;C zy=3{yh3Q2rmMompe*33i`x%$IV)NWq8!%fo;F@VRAV1kL?|nbM$1e5n+qm2dRjGb6 zq|Ux(ueK5-mZp=s{=jo6^_JPwN}V_FeFwd0q}GBQrS=UB4m)|@Q$d0qSakG~qnGTs z19RH1zVHW^@v`^cyw{F5Gj-pW9<`E}y`sL;zUOi2S9vq9|A)QoqkrS2zxRok=Thp{ z>g+ZJS!%|vQfG{&Z=}@AUz%1bZssqpk^04_&!N=C%N8zh29)oI&YX7sGPZu*TK&^# z_Je);r@k@!+DLY!Z!o(yyLOHKef6k$qi^j%_uAgR)uUtGW9vtIhgbKF>Nk3_YrEHN z7|ISAS-k`6*Pht?{z>clH<;@VnlC`Yy0PYOCokwbd1TaCGdkKml6BUO4GuYj!)vl@ zcYOEQ9bV~PKQ{2sKF#-zo$_tm%884)WV5)F`%dm1Shi4pafVNv)4n-<=r_3O-`w2F zFb{l;o4)neJ896XXY6t3$0s}Xzb-pzHvOV~a@_b#`;5Qc0;zjvc5k7V2fQMBdF8ZH z=k0&p-Q!y7H~LTANU36J{p*H@RyoJSDk!Mvc&nEAuyWj-_BZBTel{=r^a;DS(96Sj z<7KbDajFL0`SCMmeRe9C%=Co3A zGrxJoNImy$S5hhgSe#yzUO4T&r196NyeuenUU=GRT*7Yqv_k2Cy}5*MeQoM~es(`B z8ujJj_HEOPV z=Sz3;+5;Q6{pD6jJ>&Yl+dN40rjt5;XKzkozcXN5~t#N zzT*YeTGHjfG@QDZl$~RG*A4a`m)3vGX@BCi!jW9VPj-KMD=e1Ft~GYrwagiN+|@SO zanRB~zT2+hp4+*Ovp#*-wcmkM=gGFVM`q}Mca}Qi4z-z5)wlnd)Q|m4Oa10PU3*e0 zL&kz8Uw|i=)7~2f38U^qaDbUC@O78Km5aqJ-*NAU8-WlNTA zT(W%m(#4AwAH8zr#zjjOEm^r_<)W2~4w=(FTFafP^2sV^tgIq6KX$@EImIw?l$$R* z6m*1FmQ(4hO_8sXW`0K%T}xc13Gdc{&E&0{Lg70QgQ5-)Pn44SamHw z7RJNL$^GL;FI4qhypuKbM`7ik`RB2)g;!Xo^2*z!3agxt3et-fFFo4HHJqAPa273J zx~R(;tpy-jRcG;XXW@!f3m2_gxN`e4m(6KEdBG6AsG?OnaJ1oC;)mgc)3>=A;Vwwa z7N!@kz<(AkTDD@&Wm^|)BeJjjv?a2_Ak{5Xkv(slAUp4%r7t~ck!^g8$hObH-wPJ} zKS0_U?nG@)j;i{u7wqs(`$BiA2A5l(D`C(8}1t$p|7vB#OZ$a$V2sK3IJ(V;Z zD2(g)$}QEj_9VP&tty)dz2((ZsT8OGzwWoo3EYZ0_K*|O$>!vc|Ha+g53Kg$Y8ZQo zSdg0}Q0)p{?{bRXr|$j2aw7Ze&)Zu0xKqR%jZF1MceR}{>-;s79S7g>_92Vxm%dAM z{XaAwxD8T&|LV*Z`cn9{`1L-)vVz`tSX&M{>E@G;0n!>24maf%R1Acj9z}&73%QJ}xj>{!ZiIy~G{7V}odT^uuG$}LtU5@MzKp_GJARNq3oPsJvN;#2BdzW1W zoQ}fYXgiOcdRX(tmUG;kw4(}Q7<^@uTPvtdp6@I97Nj=fvRCCMP&W1ve%OuS0g(A> z7m_G<0_7JeM_f;2uiA50Pq1Zpvg45ZE-P6wb*)~c&`P|)G>B}EPU%IF2%a&p52{z9$Qor%)gOm&f;Er-1X;)BuA{c~; zM*|~vqR!k>n6Zzr4&y1rPC;}88`15IV$Vs9D5FwCtdF>ZWl{i$j6LE~ilF)1bw=U_ zzU0Ab7|id&9B}k%fmOo5_-oIjezDEzZEN`+gPvR8~cg zgk7foe-uiLrBp#;sw(mjhbszp*+cWHlKUD%fLr9wXPco};eK)ox1W$gxi!YZ5f}a* zE;g^hDr*1WxKRZz*ozE-$cKIimghSqTGm+D1(uM8^|(-if`?#V1ytamFjeei2xJ*( za7j>sghV0e6b>mNDhF2#t`<7O@FchdVWBY=!qc#}iWdMl5RobfDqgDx848nd1{kQx z1K2FwY*FY3;#Y4NO*H1yb5o>hz>(L>9^F|+^aNf73*)un5#b)gNaEiPO45zJIP0z1 z|3hR~p5LlIaKv|n6TG>rC-~y{WXJm-zJ6g7*@ubl*k|8G5K z;<)t$YcDiXA9~;cN`}%RTzA3sg<^hX#=DJekFh?QRyQ?=OXG@dV5jT2;1s1Y;Qlfpzl?_DLP=g(f6SsEP~&dWwCJEOE$-Yc%;d zk!zE@(roy?>>1vV9atLf8-L=0xDz;}B?p|8C9)fPS|a<9AgiV#d(qFWC+ObSAp7vI z-XgMqGImCM5N(ff3VNI`cWFGt<+^ldhB@_wVVuZM+!3z?q!B(-AUFX~fm4TJMeLv6^Q5Zr!;24WV zxP+=v10A6ms<3B4&=4h(kX_R>5Amuj6eJF}NA?~sKS2b5YX%IlX_y{EPX^{5gI5BE ztmx1<7)Q!EwT2r)Tv5C|LntKxs;0xht)*ZBaZMHvtV=3^#zC`6@L{4W^}rbq5g){- zWRT4Sg#%ys&L@fNL{F;<_7QiBC;02Gp5Wq*lO2aWIee)__PO;$_wkusH&E))b#_9g629bY{+5kjWq$oClDkND7k;gd1IQ&IQ2bC{{SZ(GLF*&bUA|_9cdWQ zmqf@91sQB5Q%JhV3aPT}R2QfQ^M0s932uYDx~kb642W42vb8)mPbh-P76u^2%_lTC z7JIO(#&yq+({urKWML`2@v<&q7|8KmF=~bYz~B}^{4%o5o;Zz$Q*`6J2fZWkc`k+s zRG=jd*$lEwAp}^N2!{X{jXEwrl^?CJ?FElqYD`RuB9TVyw#Ms&a5`}WV>4ylv-@7YRU-X(R& zc~kY}(vtNAe^{=i-njA`vnW}KGl%LH!nD0XF=HmN=G9@N+zdB3w5ocUJm8ztXXgk z66nOGLl4tB!;?%B@`j6@V!Mo!T{emABu}Zx*Gf#KaTg5jJ-8}A)mv67YKRg_l=QtS zk|eh(`6Gok6DH_re<+E{LGAU6h-~S-Es@<%kbU=5WdHpS))V}y-6H$Lg zVu;|(<U%6u{-m%2M^)!Vsbm|WThb--Sq)uEJ}`VfhMHI`Xjek z^qFOwWP?5(%Hv7>hv4_ZeCqVVG$WcAtc?br6WTwf$SAm!iUeVy-XsTl-$mSjOK$@L z-ay0&U~^;`32h%Ar~u}&W|gtww8A)ymn(UZE-65o6i!qiO3j;;OeBf0Hby92Qi@oW z1k(?wNPWZ^lz0=JO|Q!ZKsU;yAin5u*~88bGk2tl>#|BNLi$ygV!}Sx?sg@S{TPsK z;RzlTPVn-sp5XFuvLpR`<-sPhza_fw{m{s4O5LloW#l+O^yQsX_2u%=dV<+^8>!jf z_EWM%HEt*&%2?LMUO_`wk9ddTW5o$8ld&KIz0`3ZqUnXq7J$S z3rEz5rTo`v$e#;k2|yHFXPqnLgbb3k4KUcDhUCr)emyM0>4)0*ksee-EX5E|swTY; zD-&gv*7hR-oo~vE(i$0KJRtR!AHZ**QZY3Y+^K-obytvtFwHVyrT&%9=kJ>h-#6WJIl&L~B<4)q;U+taf$v-Db3hhy$>N;3dg zmrQgCCSmPEN_N=uwSb4!lZc*|g@#zr9Fm}#(;1><^x$z`PEmVGVMZ6^%0QehMHhwW z4s3C!8#+lGkm`xxwTz0sCkLQK2>HLZX8mC*b zH&+@KEVIY-6Nv4euJiRZlvI0s1yzk=rxY<`A$OBzfEZ>ViN26`{F*P-q?OMyhh;h6od(B~$) zl6aLix^c8JQpQsXZrUyjf?}=B!ZTOP=8Z0@N~M{BaFDE) zO@X`;HL441k$eHKdb)(ff1wxYrk^_@B<0MzI;!;4V)E+${_Wg5iR_{a_HN|~o)%B= z%UwOeRcB3hEdBHPe>9Q(1kwF^uP>fp-i>ow>5Fuoi#v6luR6!ZOk(55Qv6+~r^cL9&_+oMdN?C8t_p#Q3vNSGU*5W;u2y^G1yDiHbHO$S zL92ChP)g*uaG1}#tU^fGl@dL4v>{zmxSq1EW4c@f*lVQwCVM~o)OU#NlXtX4_B28E zTT_v}W;g2z`aWopz2;mZ%cat3g6U{SEBQ)_q@1O*0x1uEHY9+%N5eMlIBXx;bSTWA zn;2m?grP;Mf_UM=@G`bd17@bPABxw#e$UkOV0ly{q2gjb(3frw0w7rv?+KsXDazvd z1h__mSw_@Iq^^?pYq^w7X2{b#>Fh}pu_%#2^pSm)I-wyj7=+~Q^BT|ElQh^M?z}TX!$x58<@vwtV9ZnLe!!!?T(!@-+M%f z$UX;TTX+JQ$GYkhyLy7JeQL5}`Rms_(M0xti0;$(UUStQklHw@Wv}U9MPHtrsxM#r zl=TGfJl;sX;_62!xgae-Z0rakY}q;j3%l*c$HDeA_s7Sh_iSPz-!*{H>B}ZfjKGG7|je_iB zQ<1%PZ|eyze49n~#nnW%n|U2KAQyVRro*0|X-G8XicKjLcZ>whlNv@vx@95BkOToy zb>n}fv8HFl99myLQltvYrE66^C3W94oT@F+3jHBhj$E=I_IvCILTrXjq}7lpY_%kM zww%CdBGp3)5HW0Dk0Owg__az^(>sAHhC6D0uQ?WwonPrRTI(|H)H+tt_w7mSK&~f_ zs8{Zo^%_(5XKjL{t=S(W#X%|q4gEEho={_F1 z?$ehO*^@rfvWqxJJi*nwdV=ddKiSdMcF13v$lgeFOWm)YLaE39sa3D3bOWX4&z`C; z*L~i4f|virNWDL|J0&aak=MsE<;6Uke3Ds~&VD)2WBe!p^dbb)n3Ympe`CFQ2aBDr zt!aR8M6B}kgpjQxaLg^-0hmC_ON;|FLQPEIvcpYMlMSm?M9f;?CFJ13SL&=N2)x-$ zv&=(A&!7}SK{)W0awb$YF=GNy>6AbvX?@YHNPV)|5_Hzf!rVA^Yd(F?T72A1>)C^- zmgh@Fa8NyWq=|jmD<*b)hIIu~@h&OQ3Ek(;NNR$`PBiTyu7(r3U2R(7urndLt_)T5 z9qn0cH*cH1%c5m}kEaieOSX-2fsP$FcrnG-iE zRn7^3?-Ml7*6D3ML%K#x5C^0#0z_gNR|@DjO7x+zii)^lmW;{%@XtCKvPx4}%&9N_ zg#5j#f>?Ni)M&c|fBIM1X-*KCrYa4u7E4RnrW`^GB}=S3F1uT4iRiABKVaZ>TmUWu z@dpGXV1a2Zlnfybca9x~0xMPkHHm3BLuQ6W!W+G~=$>b%)oeG(_?05ZD)PE{&N=}! z9Iup3Io52K+MF)>^p@Nm>^xDr3+E%VKx!hqN4B#QVx8a0YTc4GQYqUIm;fkKp2khJ>-yCZk$pL z)bW#7=w`KxO=u3zNei33ds1drAfVi_dV1FUXNc^<`?W;&RzY^B>GT^9w4UJEn=G=| z{e#H*1rRJTQenTG+mPWL@&TwR3vgmg8R-SGs*y-gu!DA4`T?n>>5QQ}5|Sf$(2P=c z*Whr&Dj+YKD!W#wSmuc9mTOA^4?)JQ8@tMKkW(u99L8q22pNL&)U-wR;gv-9+ShJ6mQo+QWOgfkxl8mVnyN21eZ_i$U!H5E zK6le%O2!_r(bj1*Al6^JJYr;nTgNG1;b_^!O#i?Z;P_XE#4|`(zzH=6=*Hi8Cl?~q z*L1jtqZ*@0Bwm$01{qJ->|{Gd+lmtOg|_utS!G2R?-$~UszzFy1T(J@^97*mhEjdXxrG4~W4cMkQTlw;{9U>a;l`qD%o!$_e8L+>X~KE?c87{I()iYtkGTGQ1AE?VrA?`IA0?-leh2l)m-gLZd1gWCI)IBABULKoqTgkhxf;hgl-6I0EQ{3q50 z433@Tg!8gbBqMQMy1$urvTMHo_!1)9b#tq;RYw%W6AbR^32wP|vSanUHAQnt7~zLAl16H5J3*=z3$P^)ph9 z(8J0?L8TtdGXZM*SW4C&a!Ep&!h|K=+$xhB1;kDQlBiTO#J!M$v(t{{Pr>fvMJvU-$$vX`sSp1w!-UuUN z)yvLlY6`(xlqq{~;$NM;_W>6W+21X1iLA_@JiQu z1l+XwYy(e!{2ffO^r^kS?5<-XH@b5enlq1bg3K$*6cW$2u}NhmLz3; zvwAjLrvPlyB((}IC|n|^`^~YaSdN`SP0M^v1xXD7cJGrM!dtm|yih{IfEoWl_(C?0 zw1TJZyM1fMPV6gHg_4*KFr9lojM%5rQ`Is!Ll2QO$p(+P7`%q1*wp2$6|BfqnDlqD zzEi4+CV0xQ%+BU?i0D||jhl&=ju!q8yCm;>b$QE*p(~zXcvnyG?VBe%);QI}n#gV? zx*vIYuT$@Y)QB_Qn+^$6kHLbZ@1$kvRzM^*Q+%*Fi^;Ffb($J>C}- zkp)VTqa;N|sMQe1mzYCrGA%@@4cUZI>dDf3>=BdUJYA7l;gB1YdGst`-YP+{)84^o z-i^3w9cE=dLJF1)vySp(r32fjE=}z@bL5vq_W3WgMD}?>c5o`Pw=J=rVAh!y*-K{- z*~ILV>+qCS*;ym~R(4~(z{X3?XU9U5bt^tk%N1_h6X_m#0M;e$l_UP9h_8polp)}H z8k_BYlUm1|GH3gjvBJ>3W~ir~HH*^{1+ZTk*v}@*v&E=(7!wvp1i#5M2(?&yWY9{_ zj)ldnHgPbvS%BW5vhR%PgA!Do(OR|2Dy>and);aR&(1VK2xVD1qm<>iX5y72^lA#!8{XI$&6)uD4CHp;nLd@j2+P~1yLSN}t z1Cnw{f*f6Vrc%gQgJ^!yWn;pV49T9B)CU@XysXElGF+MPM0<`WC24Vqr7HHfMTx}c z=n`Ca2~N}1uVjN$YXvVa^FGwRD6Ggqq)(oB=UgIt%G#F5{!x%Uek!tec3Drb)`#ibrr(ovDZpnqEuBHe#{s1(S-UIl!<Wf@uWd0^I_)52>`Id^zP=3kB}j*w2nto zq2ORoh7_MpTj1;7VYXE)uqb~>E~y(Ga&8cJ*;`g0ttl3Dbk@(L5Z7_mHQQ0(^-1Wm%#s#;J^f+{izn*ZWk<|a!5qutL_V9K*p1hhKXDn6J?f-AT6uyq#S<*v z)f3!x?_|f&!b|_lB719t=E zaY|7-uJ*(kD+pcCeO8|IA!+!An%JKvL_?C6q{R#vq0KHTJ%2z~z`^A`KC$I~A{+j( zC9-lBF~8GU#Cv+JCwR1MkyU3A*|MqWoDi0SfE^ea;^AaiMY@WsdA7qdEX%Mu8OL?? z7{wSZeEal(9KufPXdxc5tY<-Tn$>0Ot=SAv*9k^Lrr2_6Au{e}Pmi^^^d}JyI){mVdWIbjY}SG#7#YeU zqfo5+*$=5o)ejr&gzz9^*|lTxI*5n}GNxL@bY@*BXJ-OX6g|XHvZuJh<}`*SAB}M0 ziX+7njQ_diw6RQzTy^xWp5VI=O?Hf|cxtvq_7is!-B%tw{5(p1z0k6*Bxe!xJDo-R z?nBlSyl|0`dh+4hD7iL&lhQ?Zli(n_ciRGyQQBBP0nIjb85*RpDz^M;(QQC(7`x8B&r##x*L8N}M;zDc@6iQyDA}GB%ls1<^>?tC%RD znF`&q4EB?rNgaYbP?tBg148g&Wp}mCD79-6cfykkF35aA9*$s+Bv7NdKEF#~?dI_s z9?MT+d$>|J{v^lA=tJoZ*0rD%o268qWi3n(R7bk{*<~Ff8zyD1%HmQD5hv2UQGIv; zVREm*L$4;X&y`yuD`ye&JDo+m_rzxJ;B<@Zz~70iXDS?0?#S~vgsyOa8H5$F?X0B8 zJxb|5ikT+wXU-%y6U+3LY=?DyULr+OSDz%&uApIO&G^Z6s#Nln8D7v_xl?-!=_hJ# zm?*=Ngu{hm%luK({R*2k+B^kwF|O@L$@q8#M&B;&jOsGqOC3{wRrg9t%619$;IFS| z&J1J3y3EmoxL%X_5E&`UI(;R$rJ)UaAX3g1vD!pL^JR9*gIJ%9G4odAGM>L$rWQeV ziKv)MEN5W!K;={4o%>!Q`;gzVVt9ghg5s{8;Jzm&J4TP+{dS9Nc_q<3?D@Yfq11)f zx2!8YEc#NIsxS9FVLd^g%_egveu|QPUDAR7C6(ti2?tB{Ggm}?z+a;dIBeh z*f&fOMU5WbWC01BO*hUx$*&=K4J6Hvh2Ev~BM0C|ZH;M6rWs`z$Q=H(D995%j60I2 ziI{U^Sq8On$ri>*@IQBZxmrgFqm%cfz%1&LGTAo|yx{|2> z*LMoryQd|xj|#HxRAlcTwVq(h$rjn)eV@om`s2nD;e>sZ^?@Kc1jqxvB{`5NCMjt* zQ+tWS-8LugW~nH}dF@J7>UXp;J-94%gT)`ob95M&BaKp}m${md@j^}m0@<`P!7`rp z>_{@%%1g^Lit_qV1SD2^`j5bG;tW=XO$K_3vOE|7`eF{kcFULmk9)H45h)IOgS)4i zEJf)90-Bka>eU9t_N~m)=|U0@n(FRDQiBGF@(rlwRN@9%h9wZ>J$052Vl#t=y{X~d zT2&_rd9UPhTtxJ_BC|;DN#ieHL1Z7er)9-(L_EPMyLy6cKb`D2Y2dk^TV#KKB+>0S zf5T;WL+YQ;ncGTVJ}UZh_f&n^_EYN#)~(l4Z~k!Kxs(j`?2hg5UEO47T@rF-?5-Y~ zo{XF`4;ykmhfjq-IyTghSMiU`v+2)eZ6yaUkI_T(^a*{U+um6DQNCpTR;1mtoB z1(+&gdy?20YaTG?+aY&UA66*X9(6wCFuDuwD}Azvi<6*SmHLLB;(=w$IWd7brWEz>f=csx~ib-+@%|jQAeVtND^5i)KSbegoo>bskl2PGOW44)8?s=8?NX&hsfT0UQ1-Fg6ut0k$vDp))QQQt3~#le-PQ6 zGO2wQd>@upiwxgNZ*RkpwsClB#|oWWVWoH|(sg!uq?dkThh)YhZ2QPr{KRO642BeS z(9g*!Bi8mx4AWwa@^BH3HgnWlAB^TnSKY~u$95gMR7g^NzaH1 zg1F&tas$tGJ|H*VE!Lm1&t(YASewZ)*6Df)b!0#~qf#SaalN6R*?<6qtoVidZX>eS zeSU5WPq6G&B75;&yLy5LpPTI1Ffw_zMfU0*qWfxf?Yq7Usn2w^iX6owFPq@|9mTs^YfFwakvv0#}ZhrVQ_X%N}=o<7=2jaKmVev#9Q`p5&<70JEn z^OtfaJ-g$>X$wGVC{Vb6^dAKFA z%ZO~@wW-KHoVT9fBj;OWf3S_n>L*SFh|0i9mr8lmK33aD>aoGSn)vDjQL4lh{k)$} zWLm1OJt8*DXQQ-`(+{yCXNnuxVKc!y5`{%RcP7%Br1vzV&xOfzrC?CqTn5Jvc!URA z1{?J~afHU@>*K5>DuSavq8@0KX`XSRWq0b#LK-|$pD_~>2{W~N>==F^_>JjTDJ}7gQ~;?2*fcVH{<*QsLO0?i0wv8`p%*r#Q)B zdl|L!k|Qp9@iijbH`6W#mIzW+zxqttn= zo_1H3VJMGEId<_OwtAo-o(dJa9*6%|S8F zrh(fA`gq}H{q!+ggBjD^CVf0Xl25*{#*2I@2ypbMc}(ABi^y|>cq6kHDSEC)S1W*be5Rr(QCRP-&lp2 z$A>d#FGHEhX*P;#jDpTd>}JlF!+m%`_vEChDrF0Es8XwJryal0n+i^$PGc6}a%#&2 z89rJN0_jS=yyo=p6WP}fZHa7~Ae)+s?4uLb6Fk{wkv;uBA{*0*hvqz9CDdh>uqyn^ z#KzTf7?h{OV%GjQN#l_5UY;4_^I2}X#LwnTj!cT9CQ_x>4+}Ke4o%dr#bp`KcJ*{d z66pt<$wLOl4691ZY^j77G317R)C-)WvvswoS$%Wd=gC`Z0W))qLal^kEU5 zshXnJK*$re2?)@tzn@KB8YRvQY#LAF_kD?7D-Gojcia%1iMUd#}&k z&HLT<_1WW;8eF+Yi|1Z1eN&`GX|7(;y^V8e@52dc|Z@Jb@ves48to4-1cXS?em$FhXm`};;{_&w_DRo`z ewLUIueQ~F?o&w3ABfOi3no=*M any any (msg:"file_data smtp test"; file_data; content:"if was"; sid:1;) diff --git a/tests/smtp-file-data-01/test.yaml b/tests/smtp-file-data-01/test.yaml new file mode 100644 index 000000000..041de7dbb --- /dev/null +++ b/tests/smtp-file-data-01/test.yaml @@ -0,0 +1,74 @@ +requires: + min-version: 6 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 1.2.190.250 + dest_port: 25 + email.attachment[0]: J.txt + email.from: + email.status: PARSE_DONE + email.to[0]: + event_type: smtp + pcap_cnt: 89 + proto: TCP + smtp.helo: client-1016363.example.int + smtp.mail_from: + smtp.rcpt_to[0]: + src_ip: 1.1.205.22 + src_port: 4053 + tx_id: 0 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: file_data smtp test + alert.signature_id: 1 + app_proto: smtp + app_proto_tc: failed + dest_ip: 1.2.190.250 + dest_port: 25 + email.attachment[0]: J.txt + email.from: + email.status: PARSE_DONE + email.to[0]: + event_type: alert + files[0].filename: J.txt + files[0].gaps: false + files[0].size: 16386 + files[0].state: CLOSED + files[0].stored: false + files[0].tx_id: 0 + flow.bytes_toclient: 2928 + flow.bytes_toserver: 21322 + flow.pkts_toclient: 34 + flow.pkts_toserver: 57 + pcap_cnt: 91 + proto: TCP + smtp.helo: client-1016363.example.int + smtp.mail_from: + smtp.rcpt_to[0]: + src_ip: 1.1.205.22 + src_port: 4053 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 1.2.190.250 + dest_port: 25 + event_type: smtp + pcap_cnt: 98 + proto: TCP + smtp.helo: client-1016363.example.int + src_ip: 1.1.205.22 + src_port: 4053 + tx_id: 1 diff --git a/tests/smtp-file-data-02/README.md b/tests/smtp-file-data-02/README.md new file mode 100644 index 000000000..8eff2698a --- /dev/null +++ b/tests/smtp-file-data-02/README.md @@ -0,0 +1,7 @@ +# Description + +Test file_data keyword against smtp for fragmented data + +# PCAP + +The pcap comes from https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/smtp.pcap diff --git a/tests/smtp-file-data-02/input.pcap b/tests/smtp-file-data-02/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..931b43b3b878dc559b7423df26363bfe75c6a512 GIT binary patch literal 27850 zc-rlK32-CVd1lY0gEnoBYvUa|O6d_2GvtU30tCS!F^31lL2`x%h6HD%v8G0i?gyYn zpd0RP5X3l9Bv-2JsHAM|QM+r)j;$!M;#`(CNmb&+iL!B};?=q$C$$$$IbZ;>*Rbb4e!k{&#K{gHuzeFx!l-Nr{ z>DpV~`rPAJ+o}BnP@4uq)4g~b9XU+AJ>S9G(?Id5+|c#wFTP2Vo&zdxzH~r(1qi&- zi>LoJ{5<8)!ZPd2`5en^ z>s2-to}OiQMA@=wjI&6bt*Q>2j6`NxB$|lC6Y(h~N8*tP8yrA_7dg{RW|$6B>Q33T z^sAgXWzOn0XJ!#z>Nc~Rw!^E;F_~j2hFvo)ht&<+tmrDRp^XbtOfj?x(_)2sWs`9k zjU_xdfJ+}U4oL5SRllQ`0HY(flK`LX7GQzrj$A+c#lw=6Sy)x_ZPHyBESZ*n~xWblJ=NDJpf%)WGKEJe1S8O4(2P>KDCF!Y= zJ4w=i)FJ6lz>;3e9eMo^f2J%+G@m;YQhe#_gVF*JTj(XA#PEwGpbvEj=ry4F$0#5b zB3Udp#V*{vQcQv=LO{bOkD83 zF`vDv#hK>3()=!^7}~!#u$sUB=|8m99>l$-87h8S5?k6u8BF` zbl&9s@)8+TSsZS6d{u^4&FLbOX^1!F^Z^zXPK1Qy^R?i7)bC11Ax(tLa_u_kXWQO?u zPwjl?-wqUKfbYiV*Cc5zmCLjIDsXKn_g~StS%IiHsT*gSO4&5QUj^%bhWXBbj2oJ6 zlvqP|$}AKPF|ZwlRdj>1LX+u^%_~JQ`_2DhKzjL*M4z22IrP^ftGJSH{B6fd=7EC; zazn32zwjRLZ_BJESZLm}9<~lMmqR<-Q{LQ7ZR_>I{aket3=`qtKw5ElLZrYz28>1% zvFSwQIJ+wnk3qm)7HgLm(?C8FiNqpNRhf#!$+*&Z}hNf7}Qz02XPF-2y z+fELixB@fc=hT%*G?ko+&qczK+4%HqEE@?84%{s-Lk8s*tU^~U(>99^TP+rKm9y2l zQ!&j=7M;ZT^JR-Gn!IRed^-U~SId@ob#`v+{`)Uw(tIs?t~{gPRo-Y`Fe6EfG#Jy-Oxo!^*Y|E-8mleCrwOak^)e78M=gCtnnOvJ>$+WV-=4$#XOHIv3Svp#} z$g(SQQI^eZuCc6f*G0CFP372vanD(HcJ;W;&ef~a>|E2i$dp_b;# z$$2w*cVlidIlqxCH0JDNdNH}2Og8Yla(=F!%p{ZiJU&;#`&-G>RPrA8JKcwMoLD#Q zvJ$YQrd3s(Fg`BJH*8Hi+o)23 z5MV%}*y6ibY7}Y5ds^xa-0U=>lN$$yOw=lhZXgS4S+Q*HoC?)#S+P}J4+Wk_^jYMV zoH0}rgH?hZFX#@=Pe==2F#NK}Y=~y8&g`mFV>J~bOc8vE?qzkjg9uk~97Qcxfv`Vr zKDYk=XE|l3TKQ+J=3R9Y@`YTpbi+{!6^^W&L|SaSS~2Xz)~Q%JRJV+Tt(JLJvE`~4 z8f1W*iLGiS#LxukVYC0kCdCr>TVPmYhhZ4`C;LbK97X`gF>V5UaB3ntIbl|VD-MiqG#cSXENoh(iTv8cS|%l< z6sIDg(?X;WFyYn7k_B0DppB15)ly<#Fbny9S5u@44xRRIe3G(w4rECL?Iam-fKyLSPzYd zY;ZT(=9XRzA)iVDu+8Q;vtdOz^#Ul|!nbI4+muNK=!;MkJI%!GEIG7UF|9O)O?*CnwrSo$h7>S#x6>yeybnlT`ra0g=p#ys?gG zeiJUxeA$+JA?!P6USQLd zt???{V<~_$ghm68D|JYC5bjkbp2wR>O@ljjU;${OAsx$k%-$ik$(snR@ZpQRuu+3Z z!kJw*>lKX|W`kLrhU$jxD3yxn6TyU_ovO`>P@J=zqHcm{y=CD#>@u@ei*ti`1`{?_ zT@2L$;Ixb0rOd5fD(V#8@!pG?Po>yt77I_}?KDRMTM7Ug;1Y@?i@PhaQHomK!rp}e zR?0Mb)P~9lrXUe04uDCGUGPU^yBiV;WKs*FoWN%=(j&UbYeF$~lAOjGWmq+!KHb3r z&2Zak9@7SISQz;|7Y$Vp&UT@_#nSFeD~ zxvB%)WmRwtY{QJ|v6<;{rccq=IDSQ*rtw7$JAU=5|3a=-xBUxHivN1je--mzO^v&3 zGPVh{HmBuD`WnN?f3bh$U!%zXjrPdTRWI^?^| zN_w9C_Xq&q08@oi3c+0NPt06$zdO@!MD#ZPlDg@PHlkRLOn8jhGitiSl8^B7)2}*b| zYU!mi*my-(H$_jcf&S1MgkrRL1sx%@Ea(&M5UoBfNT&IgoVx2SmennYlzF`h;cC?= z>ZQ5>qfB7KaTLF0GgUFjlhm>aI1?EvaHoN>qfWvA0ih34CS(Q6Y``d?PmG`FOchRK zi(GN);N;;O2_#c}Whd;Q3DbZE)k+;E(scBH(`x!rl;+3!uEl~1?uRj*72vkTDIh40 zFOeci1j3!=)N5@)uyZX$s68e(^h$*Ug~n5djA1s6imBiVfPPNdw9(q!sqV#~Og4oI z_E;Y$xp~~Q0t^n+_?B9$h2hQcTrzcTBS*%kmrxcQ!y5~D16nGiTnF`6(QSvC!DYlt zm`LGj7t4*|{Z*qwFbZ?TJ+4+926TdTGh_zzW)g!mPSsps3t{;|+yN>_@wa zAi*}k4b-{~*&L?d3p%;V9@9gp0BRxq*}{O9yO$ZGPdMAz8)9f9|mXX=T4epB=jl&+I>wd7C7?V_!*r z=9k2YfddCW4JiN6=e#|D2X6Z2j(Y&Ne|>Kc;D>n+0IlmiU|r7xrg**=uK3)@I^l|M z?_@#ii9HM2+eO;jMcUg%+S^6?*RYF(5r6(eeeuNG2~Ui-@Wi1{`gkHocw)z$r7!&S z-pS=U`H>$-#c)^(n&Ysc<&^Xa|r^$&CR8m%kwcwg(fjjZcf z%ep>u*0-)TvaTIFWXE3H>yZ60cgX%6tm_-^-`DR%^DA_o?_(Y3`5u4_cr7;+y5$q! z!C{|yRlXf*z3~J4`qfo=s;jPbWYTM%HNNn=B=t`5dl_}_tj6A1jlHuPduKI%kj`pg z#Q*XB5r2as{pIZtlRYj__V~Mw>h+wLJsx^5RIfXn9@(pE z_s)Ino%`53_px{G;|J&52S)tqyZT1_i@kn+^ZxI85&!SMElInb9tojxt7xC}^P|3j zjnV3sOsL&J*}f*i-KrqGco9=MxgOG0PzmG0TU~bq8$q}Qg)o8(5R+q*S>Q9Ud{-Ax zhZlhjjX@z+gR;(dq3&r(FR3!rVeq&Ic#+pm%nsAc;4(Q$!G z*SKxgEfstZvq=y;A=VI>ohPPr!8v5ULPj_(rBAu$aSQ0x8D&@Qr`?#8KJI%?&Tjy&Q;ARTjQoOX4xrlpHu zJ?f6Z4qCw`hAjjqs5yHqXlo!D2W6dV%ZxQ$r7Xy(r(+WmpjG0mD77U#z<~e;yC=J> zIljyNsg}!;vHL#^-og}ivsy4KHl`lPIF6+-&F>o`6siI9uoz$ne^*GEfV1a02_~nn zTuEoOx zyGYCvpBUxUMnJXh55b6k@!`Jp!Z)a1c(S`*;OBBfGr#>`U&CQPcK6{gA}#)K-|TUB zub%;}Jwe&y$m>ygNRn8Htek^9u=*}2B(y9Zbbt(ai`M4W5lXb_G)e53?{{al5;+b7S#pEvcDSL%z$X2wK`P}J`ac`_lfrn=w9lTj`@qquEzPWpAT;~mrS zspC^qW8E_ZDhi)^+j~LEK3SNe2jvxxD_5W@*;oW?$HdSJU9{}o?OC~HFFoTmp91sAIwTO$Z1fOg2=l2@ouBQP2t2 zU9d6M2CBqF7}OoFpaV~|z(r9g;;tb)N_abQ73vVlL>3Z0#0E$?svcuT4Q!*LoW z1zt;@{KjXFs=Ay?Wtee<4X-{X#LZ2WCU= zjt+Cxgn|vRQ8!akXE;#JOr+p;hby`pHV6WQ7Y5Bb%oas2&}$bGg46V3ky~z|B;Yxe zNK|=(|M-rC7D7!0ALA8ZBEm(GYPmt$355j%p)r_?s#v%}dSy&L@Y)JwYDBQ93+o=_ z9>@Fa=uxPtHj%?dxha0@S{d>V*gFs_D>X3sa5&t`1K9KS@HFZ^U_ZeJI`1uF$&C)u z(F$!5D`H)P36`R?OACbn(QcOz9?aW4!?@>1E^HI(8V$OO1p#480i9gPtgSDut}L!( zS6$!njD?(qFd+)qa$S2YxKD6*j^)d+OuL;p_Uug~CB$yC>2L(>(9nyxpFnFs`^PS= zSeH$((x2Czw0%b5PN>aL#RPwLlPkPNYw(=V4lW+vP)csss|5>0-esfI^`YRY6vl#W z4#d=!VjBX70#jfbez7J-i@MXriSUgr=>-b{Td;xIBbV$LZ>B{_8nhXkD;A)3AmmrI zw%!=4uu|7dZ!Slg1Zmg4RC}@WSlfevIArpHb;Bhdq*G+75UT?6? zxMJ&2tB&$;Da=Z$Do=)I<0NUkh=nJENZO6!AZY6Bf(}u()ZC#6E0U92|5r`q19CDT z4cFo^Y~Yp^b1j#^oNEmV4TO8tdTAFb72?5Qm|j|9;NcbTH@1~cYQl{ReCnGBE7n<&jKlu$+E@r_rGZwT>~X2r&yT*_KiPZhHA!mQIy;(39CaB7DPxR5 zL?F)YPz=&U0UZ=?n;a-1D&Ligew9i>R4}-;+0kQ`t$IMgnz`L9aYLMGApwwTfopIGDmcgS)iRk* z*0%u>^8Fj$z9WRxtBR!sFcbPbc6eY>6V%+c9i>X;KL(PC9C7Jjr_Qtr~(;qodt^yVY{v;Bp8KQ zahid`iXFx+0E<#N)N5p0E{vhu7$e*|uGQUj$2Yu?Lk&-c?rT%W9XInJ*@p2a-c&B& zB6UD*zw4&B`=M3r(Ynp#QKjOP&3dVfu*N-NP~aphYH{Gs=QwL{ukBURx7>yqk`&t! zSh|SCqbc|c0tTo+$B2KWf5d+$Mf_LWBmP5AdJ*5)kR*$Tcat>2i?)C>=I*t0gdxNS zxVsd_C0yhcz}v8Ruz#C&ooIb#=cq6Qnwo19rWf^biwY0Hje9BIZR>%E0kK1kkJ$id zS4^YiZrtGJpj@wwQ_Xm!P&=K)8a0irV+W22QAB?aim=WeCD$R zQ74&O9LADIObhv@u|3h)?s^*c4T?ywu`NQCJd3Y(p{^I)S# zsiI>jio0OvCls)dcGN?#Q&csid?*6z*qs(Tx{8Pj1#^2`;60&hm=B9%+*rc$0rMh6 z#$s_y=nzpjpeKlrBpn4U-_lxTi^~f*Qliy1P`z%aZKCaIx@H_j<{iJDsatr&lUC0# ztqV0!$e^t&;b5LdgR4B+-t~3MOKcxsz#d8!E9s85jfNdfly0hGs+-K-qzz98IOSTX zRS`B63)8`HYcPe9b{RvkhqNjRChBgQRW6W_TfJ(gsFl$TX{3vC!rj4@64M6pzmgxv zpOB_g9n6^X^vI~sk7Am89n6m^+CGJg|stf&a2CrFk zFGgxC`tMybRfVk9zm*J3o`%WCx)%^@frZRA{_0I+SWslUIl0>R@QtTPB?W^wyE3#|yUY0?qN*yC* zO92c*kP($cr*1^I(%){@|LFx4R|1zcCsy{W_yLsmTtQ36_C8wRid3G zV8fujTJd|DabE>je4>YyMmvjd>cA0(&CnU}2`_GeA1&mUmqLEU6znhL^_thp)D)-= z#0ku>zwzN6k5E{k_lnZw+cl6K;z`ZKIB3_DhCvdigNT4M%8st4;@ z?`n)3JJs?(FlK6;az~s}Xy?6XwnWg0s6rXhOE8UzoPU@hBn&A;J*eROy&NV2QiU%C z{5hKVSb{jqZFsea`&&lDjv64A8p@l*oHx@ZquPbgI)pJliuv6Rf&p~`nWCLUX{c2p zdp3&PiaqnW*7p56o+Nh<-T1HxD9xwmgqq#`m_U2YYp1)%i0C|=?m9<-mlbfmy5$+X ztcvp=%s(=!vXg;K(@IR#L|<37Ty42L*-gVywp(XNSjjTQ8M0j9$N@f&n?N|W)#4(2 zh>dZ-L%qXMjCO5Jg`)v&!4>L@$~8r7tCUogVYf_VF%WN2Y&HgpPV`aX4HGr*L>hr8 zSiz{fJv!ELz{h82hx6m!vP=DL=ZxK9z+Zef_OV9AtjgH}tMr>aTFv*R~J6h_v2b>`Ut!(R#d_)_d1; zLqG8+lV8AL-+Ja18EKvTR9{-(CR!iqruE46+|c{j@SowZg_lYnMOt6`bYEJ3PqaSV zP3zIyh}Li6u)%--=+7ao&p&%WT7&DgUbND~-yvG>=}GIz``ANY^8Tg-)3sC4WvGNr z8Gm6*x+HHHg9A9j8(u!t?~nc5N5=Rc+l}$j+hCRt0Q~roUwJ~3z5rC7e)0|d{@4R2 zD(~w_<;d$lasce@{KjH_Z~$q2P4`*QSuiKE9lIC>T- zku@qf?AVznmA}Lvwf&g^=^9*Lqd((?AJYDJys8`~j$WMpN&ItNuWCT&-@xZ}>0$Wy z*%Lo{c>jZ6#`oarcO{8sRx)R^nbb-;oynx<)7f-3Gnbi5C(~y$@R3SNEW41&WmB1@ z%mRGPWwY62D)4V^MY_JeJU1fk{Bc;4hW(4bIpDn-mM%yK=nseOmnNlq@$b5 any any (msg:"file_data smtp test"; file_data; content:"Added"; sid:1;) diff --git a/tests/smtp-file-data-02/test.yaml b/tests/smtp-file-data-02/test.yaml new file mode 100644 index 000000000..b031709c0 --- /dev/null +++ b/tests/smtp-file-data-02/test.yaml @@ -0,0 +1,74 @@ +requires: + min-version: 6 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 74.53.140.153 + dest_port: 25 + email.attachment[0]: NEWS.txt + email.from: '"Gurpartap Singh" ' + email.status: PARSE_DONE + email.to[0]: + event_type: smtp + pcap_cnt: 51 + proto: TCP + smtp.helo: GP + smtp.mail_from: + smtp.rcpt_to[0]: + src_ip: 10.10.1.4 + src_port: 1470 + tx_id: 0 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: file_data smtp test + alert.signature_id: 1 + app_proto: smtp + app_proto_tc: failed + dest_ip: 74.53.140.153 + dest_port: 25 + email.attachment[0]: NEWS.txt + email.from: '"Gurpartap Singh" ' + email.status: PARSE_DONE + email.to[0]: + event_type: alert + files[0].filename: NEWS.txt + files[0].gaps: false + files[0].size: 10735 + files[0].state: CLOSED + files[0].stored: false + files[0].tx_id: 0 + flow.bytes_toclient: 4118 + flow.bytes_toserver: 21897 + flow.pkts_toclient: 26 + flow.pkts_toserver: 25 + pcap_cnt: 53 + proto: TCP + smtp.helo: GP + smtp.mail_from: + smtp.rcpt_to[0]: + src_ip: 10.10.1.4 + src_port: 1470 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 74.53.140.153 + dest_port: 25 + event_type: smtp + pcap_cnt: 58 + proto: TCP + smtp.helo: GP + src_ip: 10.10.1.4 + src_port: 1470 + tx_id: 1 -- 2.47.2