diff --git a/tests/bug-6207-1/input.pcap b/tests/bug-6207-1/input.pcap index 26fafb50f..ebae12bf2 100644 Binary files a/tests/bug-6207-1/input.pcap and b/tests/bug-6207-1/input.pcap differ diff --git a/tests/bug-6207-1/test.yaml b/tests/bug-6207-1/test.yaml index c750cbc07..2f76b55d9 100644 --- a/tests/bug-6207-1/test.yaml +++ b/tests/bug-6207-1/test.yaml @@ -9,7 +9,6 @@ checks: match: app_proto: smtp email.attachment[0]: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip - email.status: BODY_END_BOUND event_type: fileinfo fileinfo.filename: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip fileinfo.size: 286 diff --git a/tests/bug-6207-2/input.pcap b/tests/bug-6207-2/input.pcap index 89ac39c67..36e376e5b 100644 Binary files a/tests/bug-6207-2/input.pcap and b/tests/bug-6207-2/input.pcap differ diff --git a/tests/mime/mime-dec-parse-full-msg-test01/README.md b/tests/mime/mime-dec-parse-full-msg-test01/README.md new file mode 100644 index 000000000..b705bffc6 --- /dev/null +++ b/tests/mime/mime-dec-parse-full-msg-test01/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mimre processing + +## PCAP + +Previous unit test for MIME in Suricata + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-full-msg-test01/input.pcap b/tests/mime/mime-dec-parse-full-msg-test01/input.pcap new file mode 100644 index 000000000..5e9e92d80 Binary files /dev/null and b/tests/mime/mime-dec-parse-full-msg-test01/input.pcap differ diff --git a/tests/mime/mime-dec-parse-full-msg-test01/test.yaml b/tests/mime/mime-dec-parse-full-msg-test01/test.yaml new file mode 100644 index 000000000..15995e67c --- /dev/null +++ b/tests/mime/mime-dec-parse-full-msg-test01/test.yaml @@ -0,0 +1,48 @@ +# *** Add configuration here *** + +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-full-msg-test02/README.md b/tests/mime/mime-dec-parse-full-msg-test02/README.md new file mode 100644 index 000000000..b705bffc6 --- /dev/null +++ b/tests/mime/mime-dec-parse-full-msg-test02/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mimre processing + +## PCAP + +Previous unit test for MIME in Suricata + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-full-msg-test02/input.pcap b/tests/mime/mime-dec-parse-full-msg-test02/input.pcap new file mode 100644 index 000000000..fa58468f2 Binary files /dev/null and b/tests/mime/mime-dec-parse-full-msg-test02/input.pcap differ diff --git a/tests/mime/mime-dec-parse-full-msg-test02/test.yaml b/tests/mime/mime-dec-parse-full-msg-test02/test.yaml new file mode 100644 index 000000000..15995e67c --- /dev/null +++ b/tests/mime/mime-dec-parse-full-msg-test02/test.yaml @@ -0,0 +1,48 @@ +# *** Add configuration here *** + +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-line-test01/README.md b/tests/mime/mime-dec-parse-line-test01/README.md new file mode 100644 index 000000000..b705bffc6 --- /dev/null +++ b/tests/mime/mime-dec-parse-line-test01/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mimre processing + +## PCAP + +Previous unit test for MIME in Suricata + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-line-test01/input.pcap b/tests/mime/mime-dec-parse-line-test01/input.pcap new file mode 100644 index 000000000..3e8bb266b Binary files /dev/null and b/tests/mime/mime-dec-parse-line-test01/input.pcap differ diff --git a/tests/mime/mime-dec-parse-line-test01/test.yaml b/tests/mime/mime-dec-parse-line-test01/test.yaml new file mode 100644 index 000000000..15995e67c --- /dev/null +++ b/tests/mime/mime-dec-parse-line-test01/test.yaml @@ -0,0 +1,48 @@ +# *** Add configuration here *** + +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-line-test02/README.md b/tests/mime/mime-dec-parse-line-test02/README.md new file mode 100644 index 000000000..b705bffc6 --- /dev/null +++ b/tests/mime/mime-dec-parse-line-test02/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mimre processing + +## PCAP + +Previous unit test for MIME in Suricata + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-line-test02/input.pcap b/tests/mime/mime-dec-parse-line-test02/input.pcap new file mode 100644 index 000000000..56fc12bf4 Binary files /dev/null and b/tests/mime/mime-dec-parse-line-test02/input.pcap differ diff --git a/tests/mime/mime-dec-parse-line-test02/test.yaml b/tests/mime/mime-dec-parse-line-test02/test.yaml new file mode 100644 index 000000000..dc9acbeed --- /dev/null +++ b/tests/mime/mime-dec-parse-line-test02/test.yaml @@ -0,0 +1,49 @@ +# *** Add configuration here *** + +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + email.url[0]: www.test.com/malware.exe?hahah + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-long-filename01/README.md b/tests/mime/mime-dec-parse-long-filename01/README.md new file mode 100644 index 000000000..b705bffc6 --- /dev/null +++ b/tests/mime/mime-dec-parse-long-filename01/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mimre processing + +## PCAP + +Previous unit test for MIME in Suricata + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-long-filename01/input.pcap b/tests/mime/mime-dec-parse-long-filename01/input.pcap new file mode 100644 index 000000000..770719109 Binary files /dev/null and b/tests/mime/mime-dec-parse-long-filename01/input.pcap differ diff --git a/tests/mime/mime-dec-parse-long-filename01/test.yaml b/tests/mime/mime-dec-parse-long-filename01/test.yaml new file mode 100644 index 000000000..e66357e2a --- /dev/null +++ b/tests/mime/mime-dec-parse-long-filename01/test.yaml @@ -0,0 +1,88 @@ +# *** Add configuration here *** + +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: MIME_LONG_FILENAME + anomaly.layer: proto_parser + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 14 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.attachment[0]: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + app_proto: smtp + dest_ip: 127.0.0.1 + dest_port: 25 + email.attachment[0]: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: fileinfo + fileinfo.filename: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c + fileinfo.gaps: false + fileinfo.size: 25 + fileinfo.state: CLOSED + fileinfo.stored: false + fileinfo.tx_id: 0 + pcap_cnt: 15 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-long-filename02/README.md b/tests/mime/mime-dec-parse-long-filename02/README.md new file mode 100644 index 000000000..b705bffc6 --- /dev/null +++ b/tests/mime/mime-dec-parse-long-filename02/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mimre processing + +## PCAP + +Previous unit test for MIME in Suricata + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-long-filename02/input.pcap b/tests/mime/mime-dec-parse-long-filename02/input.pcap new file mode 100644 index 000000000..91cd1f346 Binary files /dev/null and b/tests/mime/mime-dec-parse-long-filename02/input.pcap differ diff --git a/tests/mime/mime-dec-parse-long-filename02/test.yaml b/tests/mime/mime-dec-parse-long-filename02/test.yaml new file mode 100644 index 000000000..a5aac8c30 --- /dev/null +++ b/tests/mime/mime-dec-parse-long-filename02/test.yaml @@ -0,0 +1,73 @@ +# *** Add configuration here *** + +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.attachment[0]: 12characters12characters12characters.exe + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + app_proto: smtp + dest_ip: 127.0.0.1 + dest_port: 25 + email.attachment[0]: 12characters12characters12characters.exe + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: fileinfo + fileinfo.filename: 12characters12characters12characters.exe + fileinfo.gaps: false + fileinfo.size: 25 + fileinfo.state: CLOSED + fileinfo.stored: false + fileinfo.tx_id: 0 + pcap_cnt: 15 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-odd-len/README.md b/tests/mime/mime-dec-parse-odd-len/README.md new file mode 100644 index 000000000..b705bffc6 --- /dev/null +++ b/tests/mime/mime-dec-parse-odd-len/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mimre processing + +## PCAP + +Previous unit test for MIME in Suricata + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-odd-len/input.pcap b/tests/mime/mime-dec-parse-odd-len/input.pcap new file mode 100644 index 000000000..e1b7326cb Binary files /dev/null and b/tests/mime/mime-dec-parse-odd-len/input.pcap differ diff --git a/tests/mime/mime-dec-parse-odd-len/test.yaml b/tests/mime/mime-dec-parse-odd-len/test.yaml new file mode 100644 index 000000000..15995e67c --- /dev/null +++ b/tests/mime/mime-dec-parse-odd-len/test.yaml @@ -0,0 +1,48 @@ +# *** Add configuration here *** + +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-rem-sp/README.md b/tests/mime/mime-dec-parse-rem-sp/README.md new file mode 100644 index 000000000..b705bffc6 --- /dev/null +++ b/tests/mime/mime-dec-parse-rem-sp/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mimre processing + +## PCAP + +Previous unit test for MIME in Suricata + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-rem-sp/input.pcap b/tests/mime/mime-dec-parse-rem-sp/input.pcap new file mode 100644 index 000000000..a4c573113 Binary files /dev/null and b/tests/mime/mime-dec-parse-rem-sp/input.pcap differ diff --git a/tests/mime/mime-dec-parse-rem-sp/test.yaml b/tests/mime/mime-dec-parse-rem-sp/test.yaml new file mode 100644 index 000000000..15995e67c --- /dev/null +++ b/tests/mime/mime-dec-parse-rem-sp/test.yaml @@ -0,0 +1,48 @@ +# *** Add configuration here *** + +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-small-rem-inp/README.md b/tests/mime/mime-dec-parse-small-rem-inp/README.md new file mode 100644 index 000000000..b705bffc6 --- /dev/null +++ b/tests/mime/mime-dec-parse-small-rem-inp/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mimre processing + +## PCAP + +Previous unit test for MIME in Suricata + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-small-rem-inp/input.pcap b/tests/mime/mime-dec-parse-small-rem-inp/input.pcap new file mode 100644 index 000000000..1b4b1bed3 Binary files /dev/null and b/tests/mime/mime-dec-parse-small-rem-inp/input.pcap differ diff --git a/tests/mime/mime-dec-parse-small-rem-inp/test.yaml b/tests/mime/mime-dec-parse-small-rem-inp/test.yaml new file mode 100644 index 000000000..15995e67c --- /dev/null +++ b/tests/mime/mime-dec-parse-small-rem-inp/test.yaml @@ -0,0 +1,48 @@ +# *** Add configuration here *** + +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-very-small-inp/README.md b/tests/mime/mime-dec-very-small-inp/README.md new file mode 100644 index 000000000..b705bffc6 --- /dev/null +++ b/tests/mime/mime-dec-very-small-inp/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mimre processing + +## PCAP + +Previous unit test for MIME in Suricata + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-very-small-inp/input.pcap b/tests/mime/mime-dec-very-small-inp/input.pcap new file mode 100644 index 000000000..d217b5124 Binary files /dev/null and b/tests/mime/mime-dec-very-small-inp/input.pcap differ diff --git a/tests/mime/mime-dec-very-small-inp/test.yaml b/tests/mime/mime-dec-very-small-inp/test.yaml new file mode 100644 index 000000000..15995e67c --- /dev/null +++ b/tests/mime/mime-dec-very-small-inp/test.yaml @@ -0,0 +1,48 @@ +# *** Add configuration here *** + +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1