mime: add previous suricata unit tests

mime: fix tests for bug-6207

Fix manually crafted pcaps to have valid MIME headers folding
beginning with space

And removing the test for BODY_BOUND which is becoming obsolete

tests/bug-6207-1/test.yaml

@@ -9,7 +9,6 @@ checks:
     match:
       app_proto: smtp
       email.attachment[0]: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip
-      email.status: BODY_END_BOUND
       event_type: fileinfo
       fileinfo.filename: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip
       fileinfo.size: 286

tests/mime/mime-dec-parse-full-msg-test01/README.md

@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Previous unit test for MIME in Suricata
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487

tests/mime/mime-dec-parse-full-msg-test01/test.yaml

@@ -0,0 +1,46 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.from: toto <[email protected]>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <[email protected]>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1

tests/mime/mime-dec-parse-full-msg-test02/README.md

@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Previous unit test for MIME in Suricata
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487

tests/mime/mime-dec-parse-full-msg-test02/test.yaml

@@ -0,0 +1,46 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.from: toto <[email protected]>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <[email protected]>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1

tests/mime/mime-dec-parse-line-test01/README.md

@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Previous unit test for MIME in Suricata
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487

tests/mime/mime-dec-parse-line-test01/test.yaml

@@ -0,0 +1,46 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.from: toto <[email protected]>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <[email protected]>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1

tests/mime/mime-dec-parse-line-test02/README.md

@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Previous unit test for MIME in Suricata
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487

tests/mime/mime-dec-parse-line-test02/test.yaml

@@ -0,0 +1,47 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.from: toto <[email protected]>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      email.url[0]: www.test.com/malware.exe?hahah
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <[email protected]>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1

tests/mime/mime-dec-parse-long-filename01/README.md

@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Previous unit test for MIME in Suricata
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487

tests/mime/mime-dec-parse-long-filename01/test.yaml

@@ -0,0 +1,86 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
+      anomaly.layer: proto_detect
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: smtp
+      anomaly.event: MIME_LONG_FILENAME
+      anomaly.layer: proto_parser
+      anomaly.type: applayer
+      dest_ip: 127.0.0.1
+      dest_port: 39202
+      event_type: anomaly
+      pcap_cnt: 14
+      proto: TCP
+      src_ip: 127.0.0.1
+      src_port: 25
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.attachment[0]: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c
+      email.from: toto <[email protected]>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: smtp
+      pcap_cnt: 14
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <[email protected]>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      app_proto: smtp
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      email.attachment[0]: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c
+      email.from: toto <[email protected]>
+      email.status: PARSE_DONE
+      email.to[0]: 172.16.92.2@linuxbox
+      event_type: fileinfo
+      fileinfo.filename: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c
+      fileinfo.gaps: false
+      fileinfo.size: 25
+      fileinfo.state: CLOSED
+      fileinfo.stored: false
+      fileinfo.tx_id: 0
+      pcap_cnt: 15
+      proto: TCP
+      smtp.helo: linuxbox
+      smtp.mail_from: <[email protected]>
+      smtp.rcpt_to[0]: <172.16.92.2@linuxbox>
+      src_ip: 127.0.0.1
+      src_port: 39202
+- filter:
+    count: 1
+    match:
+      dest_ip: 127.0.0.1
+      dest_port: 25
+      event_type: smtp
+      proto: TCP
+      smtp.helo: linuxbox
+      src_ip: 127.0.0.1
+      src_port: 39202
+      tx_id: 1

tests/mime/mime-dec-parse-long-filename02/README.md

@@ -0,0 +1,11 @@
+# Test Description
+
+Test some mime processing
+
+## PCAP
+
+Previous unit test for MIME in Suricata
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/3487