From f1529416096070ab99bab440bb1deadd09f32cba Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 31 Aug 2023 11:52:15 +0200 Subject: [PATCH 1/2] mime: add previous suricata unit tests --- .../mime-dec-parse-full-msg-test01/README.md | 11 +++ .../mime-dec-parse-full-msg-test01/input.pcap | Bin 0 -> 1685 bytes .../mime-dec-parse-full-msg-test01/test.yaml | 48 ++++++++++ .../mime-dec-parse-full-msg-test02/README.md | 11 +++ .../mime-dec-parse-full-msg-test02/input.pcap | Bin 0 -> 1704 bytes .../mime-dec-parse-full-msg-test02/test.yaml | 48 ++++++++++ .../mime/mime-dec-parse-line-test01/README.md | 11 +++ .../mime-dec-parse-line-test01/input.pcap | Bin 0 -> 1736 bytes .../mime/mime-dec-parse-line-test01/test.yaml | 48 ++++++++++ .../mime/mime-dec-parse-line-test02/README.md | 11 +++ .../mime-dec-parse-line-test02/input.pcap | Bin 0 -> 1788 bytes .../mime/mime-dec-parse-line-test02/test.yaml | 49 ++++++++++ .../mime-dec-parse-long-filename01/README.md | 11 +++ .../mime-dec-parse-long-filename01/input.pcap | Bin 0 -> 2012 bytes .../mime-dec-parse-long-filename01/test.yaml | 88 ++++++++++++++++++ .../mime-dec-parse-long-filename02/README.md | 11 +++ .../mime-dec-parse-long-filename02/input.pcap | Bin 0 -> 2268 bytes .../mime-dec-parse-long-filename02/test.yaml | 73 +++++++++++++++ tests/mime/mime-dec-parse-odd-len/README.md | 11 +++ tests/mime/mime-dec-parse-odd-len/input.pcap | Bin 0 -> 1751 bytes tests/mime/mime-dec-parse-odd-len/test.yaml | 48 ++++++++++ tests/mime/mime-dec-parse-rem-sp/README.md | 11 +++ tests/mime/mime-dec-parse-rem-sp/input.pcap | Bin 0 -> 1750 bytes tests/mime/mime-dec-parse-rem-sp/test.yaml | 48 ++++++++++ .../mime-dec-parse-small-rem-inp/README.md | 11 +++ .../mime-dec-parse-small-rem-inp/input.pcap | Bin 0 -> 1757 bytes .../mime-dec-parse-small-rem-inp/test.yaml | 48 ++++++++++ tests/mime/mime-dec-very-small-inp/README.md | 11 +++ tests/mime/mime-dec-very-small-inp/input.pcap | Bin 0 -> 1754 bytes tests/mime/mime-dec-very-small-inp/test.yaml | 48 ++++++++++ 30 files changed, 656 insertions(+) create mode 100644 tests/mime/mime-dec-parse-full-msg-test01/README.md create mode 100644 tests/mime/mime-dec-parse-full-msg-test01/input.pcap create mode 100644 tests/mime/mime-dec-parse-full-msg-test01/test.yaml create mode 100644 tests/mime/mime-dec-parse-full-msg-test02/README.md create mode 100644 tests/mime/mime-dec-parse-full-msg-test02/input.pcap create mode 100644 tests/mime/mime-dec-parse-full-msg-test02/test.yaml create mode 100644 tests/mime/mime-dec-parse-line-test01/README.md create mode 100644 tests/mime/mime-dec-parse-line-test01/input.pcap create mode 100644 tests/mime/mime-dec-parse-line-test01/test.yaml create mode 100644 tests/mime/mime-dec-parse-line-test02/README.md create mode 100644 tests/mime/mime-dec-parse-line-test02/input.pcap create mode 100644 tests/mime/mime-dec-parse-line-test02/test.yaml create mode 100644 tests/mime/mime-dec-parse-long-filename01/README.md create mode 100644 tests/mime/mime-dec-parse-long-filename01/input.pcap create mode 100644 tests/mime/mime-dec-parse-long-filename01/test.yaml create mode 100644 tests/mime/mime-dec-parse-long-filename02/README.md create mode 100644 tests/mime/mime-dec-parse-long-filename02/input.pcap create mode 100644 tests/mime/mime-dec-parse-long-filename02/test.yaml create mode 100644 tests/mime/mime-dec-parse-odd-len/README.md create mode 100644 tests/mime/mime-dec-parse-odd-len/input.pcap create mode 100644 tests/mime/mime-dec-parse-odd-len/test.yaml create mode 100644 tests/mime/mime-dec-parse-rem-sp/README.md create mode 100644 tests/mime/mime-dec-parse-rem-sp/input.pcap create mode 100644 tests/mime/mime-dec-parse-rem-sp/test.yaml create mode 100644 tests/mime/mime-dec-parse-small-rem-inp/README.md create mode 100644 tests/mime/mime-dec-parse-small-rem-inp/input.pcap create mode 100644 tests/mime/mime-dec-parse-small-rem-inp/test.yaml create mode 100644 tests/mime/mime-dec-very-small-inp/README.md create mode 100644 tests/mime/mime-dec-very-small-inp/input.pcap create mode 100644 tests/mime/mime-dec-very-small-inp/test.yaml diff --git a/tests/mime/mime-dec-parse-full-msg-test01/README.md b/tests/mime/mime-dec-parse-full-msg-test01/README.md new file mode 100644 index 000000000..b705bffc6 --- /dev/null +++ b/tests/mime/mime-dec-parse-full-msg-test01/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mimre processing + +## PCAP + +Previous unit test for MIME in Suricata + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-full-msg-test01/input.pcap b/tests/mime/mime-dec-parse-full-msg-test01/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..5e9e92d8011f20e74c7d75a795cebd6f52f43073 GIT binary patch literal 1685 zcma)+-*VDG6vj7cwThzXT{~W!;mT=A3ZX5U{u!78(`p!6NS%)3g#lK(6_QM{jP%Oq z=%ugVEBFe&ir09y*_BFRWW$*anLWSn+p{P6_4CJfoh%bI#^dB}?e~k1;%-ZZj&qHW zJRxOLzE8+ELNpQAS+bfD3vq;clC3X~$J)};iePB?{C^CxdYuJaha4?@ewQJ%b26ll zmvek*fQ*w&!VvmPn1{Y^LgrScbEUo}^i{59<)P2~;iwagpxtm!AfjIHDxDHgQLbGX z5?Y#u%ED+s$eMy4)tu&EYJ$3lm<8*zhW;`NWo_r7`8HwTagZY!(oS`boebK^Dn_Gn z>_ENMY}k7|;6eHGz+-*08w?H-?#klcvgj?RxVODMK!zhjdPA$_Sv{0PZ|jQDIy`Z~ zZQ6TfT=b%4JF{%}}l2qvtW`B?& z3Fp%U*;N?Lyuz?!ZPKM><=mbN*=S5fh*^M_}=&*m@ZuH)71-0sFc9L6VaTvsm-%y#4y+P9{aT&&R z)+8wrO%~3f&)(r|&7_)bJWm=G(kW5D7VWZ-;m+~@ zzcrXx5?gR^Gk|MuW=qb+*_$&A@!U)r1iN9;&q*gk^pa|j+pokEWGwbd=p}5jOT{=n WJ9ZNnPZxJ_i7xgP!NTSgAGJT~HBPwz literal 0 HcmV?d00001 diff --git a/tests/mime/mime-dec-parse-full-msg-test01/test.yaml b/tests/mime/mime-dec-parse-full-msg-test01/test.yaml new file mode 100644 index 000000000..15995e67c --- /dev/null +++ b/tests/mime/mime-dec-parse-full-msg-test01/test.yaml @@ -0,0 +1,48 @@ +# *** Add configuration here *** + +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-full-msg-test02/README.md b/tests/mime/mime-dec-parse-full-msg-test02/README.md new file mode 100644 index 000000000..b705bffc6 --- /dev/null +++ b/tests/mime/mime-dec-parse-full-msg-test02/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mimre processing + +## PCAP + +Previous unit test for MIME in Suricata + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-full-msg-test02/input.pcap b/tests/mime/mime-dec-parse-full-msg-test02/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..fa58468f2674df0fed24199fd818db6198b3806d GIT binary patch literal 1704 zcma)+-Ez`E6o406t)eL7T{~W!VZ3l!5<}>ZrauEyVA=`;h3Iq~FAT8St&n7rWu#X= zM=yN^U%^-KRlLTt-Q7|tj0Dakgq-hudvcQBzkdEml4YW|@mLyVQOpWS7M+Bp@< zkVI#h0HI#<my{BWTy%CPdWhU8Yk4D%!QH zLP2+?p{g+nAY@HLk1Dms4OOD)b~bTX)u)r@-S zxCYf$qwehSfCt4d1CRC1ZZJ5I+?B=Mvgnr6+}myskWo{i+)%YRYld>@wyqhi!=?*v z!`aL4*k*p)d}Et-QQr{d_i%B)b@Z!g_HDluGHeyf&z$2|LqA(H$|biXyYvXNKdMlK zvuT2wFdHpeno!uVYYDvesj)^8$;AkhPL1 zRh-q$7XH!EwaOl+4pbwS13M3;Faq1M3t(+IdCMtm!-j=hI#rE=fdgU|;O<1YfdjK{ zMmp6Vb}nd_JK&zP81U->r!faA7M4!ckLwlVJ&j@(_=qsE&|%T|=r4AE;a>~j`k zCteNMi1v1&6Ab;H7hUdWH%`9NVgIaM?|s+|D&^DcB)81sFo+qyrZOLAgQipBV;Iv} zlO$P?(-D6a_C4nBLigN@V#@c2{Il_Ta^W2M>=n+gDZAOm`$;1^of7?P(Jl)at{i{g zbS;+c!&CpZWnw8-Rm1f`UhVPP>)(ah>op8<-jp+w#+h004b#bx + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-line-test01/README.md b/tests/mime/mime-dec-parse-line-test01/README.md new file mode 100644 index 000000000..b705bffc6 --- /dev/null +++ b/tests/mime/mime-dec-parse-line-test01/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mimre processing + +## PCAP + +Previous unit test for MIME in Suricata + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-line-test01/input.pcap b/tests/mime/mime-dec-parse-line-test01/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..3e8bb266b25a6103b0245e291f4e17daf003aae0 GIT binary patch literal 1736 zcma)+-Ez`E6o5BrwThyQckOs_hAXEfX$bw%^k-lSOsg=o5S@*o)ZER%E_kCR_(e_nnTzqVwkxUUgn z5K<=PhlG45L=kbFC#yMeA#Q=1WUI^Lv9h$ZA{YuD{~v>_UgrU?Lyi)>xX%!^3o@j~ zt2rJDAmcQbFhu<&%tP;+khzuVTv=Zc_0wF_G+@ZQc+~Yr&}rJI5K^aqmCXpKXxE+$ z3EiEB%El-_$XW_Lt~FY>)CBbaF$?x*4gGQ{%G@@f^)6xHa*$&gQl~mcCx<%ul+mo5 zG@#yYHLZQ_bH9AyI&7%-eD^Tnt}O1BN4G-Cz3cV}84VfI4OPptW~hK}>nWpsbZUd$ zvi6I+re569-tOG8Kw;Br_b?gpr4sCsujDEbm<9Zf07{y z=hFl^VJ2F%Q$lHb3nK1>97NlJc|puU(|~$?_{R7p>>sro^+P?`CAFSnohlX)kWi$2AcP$XJ0QV=t_AQvT z7}-oG?ha^=TVP+Z2=MCwrx6D#ZY-N=o-}LP2O37q_Yk3Dp(Eep)Z?0c6`+?J4>=34 z6Pqp@(f%HE{n+a};nhKYLr9Rz1s4a;q!~{D|=zD)VqQXf`80nl_y^ zNlFTGI^vtb&|%&l^e&w+qWmD{U$obg3+K>h-{I_&eGGcoG literal 0 HcmV?d00001 diff --git a/tests/mime/mime-dec-parse-line-test01/test.yaml b/tests/mime/mime-dec-parse-line-test01/test.yaml new file mode 100644 index 000000000..15995e67c --- /dev/null +++ b/tests/mime/mime-dec-parse-line-test01/test.yaml @@ -0,0 +1,48 @@ +# *** Add configuration here *** + +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-line-test02/README.md b/tests/mime/mime-dec-parse-line-test02/README.md new file mode 100644 index 000000000..b705bffc6 --- /dev/null +++ b/tests/mime/mime-dec-parse-line-test02/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mimre processing + +## PCAP + +Previous unit test for MIME in Suricata + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-line-test02/input.pcap b/tests/mime/mime-dec-parse-line-test02/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..56fc12bf4602ee652a3743bdebee8d2e4a219f9d GIT binary patch literal 1788 zcma)+-Ez`E6vr1@t)eL7T{~W!;mT=Afb>h#4`B*St1z@QIvvLg18mE-`I=-iz?IL@ zo6b1n6Zi_gg0JE=o^3W#DU2kXNl5nm{{KCDHot!U_?9G#BtAx?=x*ir%P- zRYD4clt}3zAzukeh`7#@<%}4JhnI}9lZ&HKVqsxPFcSFue+;sGodq0+oP_t{K0|2d zWJn*cX81?|GLAD5L+CGH9{RownOmOBmHG*xALnXX0W9W(gSI<>(}r;jJ~g|;bV@)) zxprho==LO37A66Nti;g6YQ6cF8lfH_X3qMopubFv(l!gwd>=7zImn?5X{R#7P6q8{ zV@9KVREJut+0b{n%iYq2Z8A&kxb}X;U7Fup7QN+S?p<$>kWrT*y`k08v>wW#x7C=@ zIyg4KXzIJgZA~q1sc$q@E5!>U{XL%F-zxg6$LzcQQpnI`NPp@Ke|7Yy#f(bXC`VO# zg4v&CNW$49L3WsiE?O~ReRBf>Zu%TV*?~D;$U#wnI$h{9-hszo^z$2Zi`L3;l=mogn z5r(V7w8coLPQ&&k?Qk889t!|}CU6>XpkiX_RO6^oRX$QbV6KA*6@?C5hf{|u#?V7w zc4%?tVI}f58_@0!wB69@n*MMvyY}vihSu3>qx)&YtyWI51$C&z0BXfivjSXEelDvug@b1og khK%`kUh)Qe`7&mld^j>97tiN+afvRz#{>=cfcSR)0aZPB?f?J) literal 0 HcmV?d00001 diff --git a/tests/mime/mime-dec-parse-line-test02/test.yaml b/tests/mime/mime-dec-parse-line-test02/test.yaml new file mode 100644 index 000000000..dc9acbeed --- /dev/null +++ b/tests/mime/mime-dec-parse-line-test02/test.yaml @@ -0,0 +1,49 @@ +# *** Add configuration here *** + +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + email.url[0]: www.test.com/malware.exe?hahah + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-long-filename01/README.md b/tests/mime/mime-dec-parse-long-filename01/README.md new file mode 100644 index 000000000..b705bffc6 --- /dev/null +++ b/tests/mime/mime-dec-parse-long-filename01/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mimre processing + +## PCAP + +Previous unit test for MIME in Suricata + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-long-filename01/input.pcap b/tests/mime/mime-dec-parse-long-filename01/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..7707191091cb169f9583e27af35f20135e95abb6 GIT binary patch literal 2012 zcmeH|&2rLE6o4;Ktwy7ayLMchVdbU10z2DmM^lAlQ~Bi+=E zFVUs1;4AnFzKUx+x4Ds)!pH*{I70|I-}!Rx55Io?_?{#SBtAx?=xq7-%TMBLLq-xm zD}>|-DU#wtLcS7`5OJL$OKEW<9)2>)PA-f_iBxJ)FcNtEUktKzodLWLISK#8eTJx= zl_5P|&G1M7GLF&_L)1@U9(vz|%q>mk%K8aWKh8Cb9Q2tx7`DA3wCdIo1k~&@CHtZ@WE0MoorvL)GH6Ig~}Wm6*}o zKeE7Tm^=AxL(gyNZw%ci#seb#9?$Q$f_}A_ecMk#h9N`x=`;Ll=x4-?a>*)1U3!Aq zA7x0w=_EnUFas@`F=2gk143>G97NlJx&DBIrU7-k@P+Xn?Cdvd)jd7>h-y8>I;S|L zMMSky)?_U?@tSDcj%$@|PEDu=EDJ^+N`3%F&RB=srkT%~>szpz!$Vc7f#;YY<^tTG z5te7dw82o7)}VbsJKO}T$3noj4V;D?sCY0{sUOxW+It#=%ySW;W1)S|<<#Yxb?Kv* zGw5^XV<*-eHl*DGw7r4bwS&vu%<9|EbkIL-)w>@yyh`~vGtMou(Dy>dZ>Y@0xj|J$ zyfkexYn&7n88YVESyETHRxe`4@yVeT USv;TL;sPzc#RLP_xcG1Q0}W!#KL7v# literal 0 HcmV?d00001 diff --git a/tests/mime/mime-dec-parse-long-filename01/test.yaml b/tests/mime/mime-dec-parse-long-filename01/test.yaml new file mode 100644 index 000000000..e66357e2a --- /dev/null +++ b/tests/mime/mime-dec-parse-long-filename01/test.yaml @@ -0,0 +1,88 @@ +# *** Add configuration here *** + +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: MIME_LONG_FILENAME + anomaly.layer: proto_parser + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 14 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.attachment[0]: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + app_proto: smtp + dest_ip: 127.0.0.1 + dest_port: 25 + email.attachment[0]: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: fileinfo + fileinfo.filename: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c + fileinfo.gaps: false + fileinfo.size: 25 + fileinfo.state: CLOSED + fileinfo.stored: false + fileinfo.tx_id: 0 + pcap_cnt: 15 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-long-filename02/README.md b/tests/mime/mime-dec-parse-long-filename02/README.md new file mode 100644 index 000000000..b705bffc6 --- /dev/null +++ b/tests/mime/mime-dec-parse-long-filename02/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mimre processing + +## PCAP + +Previous unit test for MIME in Suricata + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-long-filename02/input.pcap b/tests/mime/mime-dec-parse-long-filename02/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..91cd1f346af97c66bdfaf741531d8176ae6789e5 GIT binary patch literal 2268 zcmeH|&2kb!5P*jSjiM;!Eh!IOoUDZ1z~)aONkIiti9!*{YNad>4(yOj!v56GP?Af$ z_!2q#3ciA`;H!9!J=s}F2$Y;H7rI!M?XSP>ZDxP|`2KB%BuTtoT}68fzn*_md#gHT z@Uuopo{%yr-zVe?Aqf?iSu&qdC*l^&MAtWd1S>cph>R!Lz#z zRXe9cd%T$7kpN^IWFm&DKZ|+jeH}WtGMcOFCsh47*Rt}^<6eKz_6Km-un!<))HzS5 z6jZgVq(ehDMxnYf2_R%4hVIqs%|Fx#bq_I9_Gbb8GBL_p%R}=`#K7A@_H<~S>I9t( z>SSX^qq1Lz-Bz(FkfS{^q;Idof$ z8LgcI8|-Frv#?>Ag?00lWm@IRSXo;IA!#T$@^d%SuFwcR{T%N$@POHAVZAKqat;bmB z2&Yd)R4ZwZ*3yI5Lfdv+t4bv+!fwcOU=^Segka^Z709m@3;E*8IxOXJOQ&{2-z|cg z1-LsAwqJyCHzS=o?6*%@M;5_8;R5hYK{6qMsS8V|8vBi!@t%c(`yL`pEVSc$l6lgw z&ja*w`#s46?8LIm2h1r!+wXf04bQi-ORvvZzjt)la6YX1wd&jKFt^G@;0rFVsocZa zVCj^48OCVVFexf1*+4D_J<7cjbWUg}nB3~iuJLks;spBmD;!@l>gFNdPZk!^Db>Fg z>+pc%mE-r@Js2ttf4SvArKFt`7jsL{e=`k;h#U7 literal 0 HcmV?d00001 diff --git a/tests/mime/mime-dec-parse-long-filename02/test.yaml b/tests/mime/mime-dec-parse-long-filename02/test.yaml new file mode 100644 index 000000000..a5aac8c30 --- /dev/null +++ b/tests/mime/mime-dec-parse-long-filename02/test.yaml @@ -0,0 +1,73 @@ +# *** Add configuration here *** + +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.attachment[0]: 12characters12characters12characters.exe + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + app_proto: smtp + dest_ip: 127.0.0.1 + dest_port: 25 + email.attachment[0]: 12characters12characters12characters.exe + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: fileinfo + fileinfo.filename: 12characters12characters12characters.exe + fileinfo.gaps: false + fileinfo.size: 25 + fileinfo.state: CLOSED + fileinfo.stored: false + fileinfo.tx_id: 0 + pcap_cnt: 15 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-odd-len/README.md b/tests/mime/mime-dec-parse-odd-len/README.md new file mode 100644 index 000000000..b705bffc6 --- /dev/null +++ b/tests/mime/mime-dec-parse-odd-len/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mimre processing + +## PCAP + +Previous unit test for MIME in Suricata + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-odd-len/input.pcap b/tests/mime/mime-dec-parse-odd-len/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..e1b7326cb0f8f63723be8852209b08ceff86c8e1 GIT binary patch literal 1751 zcma)+%~IM>6o4;iYfDSZbf?qB8CD%72obc6KLZFT7DORchv}jLt`dbLliXP7#^-R^ zSLiGB75XY&({s&Dp$Jm~XA(lrcfOo^l3zc6d=HXE;%~#DceL{R?H7KO5)s6Gfsh0t z8IpNQ$Q>a89`{kQ9N`z@W(B?M;Nox?SXfx%i~yehAA>C4M**)xPQZHen89nuLJ{|_Y^t>f;Sh)Nc5RCg z(5*?RXiNYIS@EHVg>v;T)k8f&%$)sMLBEKPlG6#Oe)Jf)9OO`h(8GK zG8Ajoin7B@W@fH>n%<4K%-){IU7Fu5if%EVJMQ)j8D$Z|4OKJKW+;Ykt3IQ)f1-j~ zRd$kFay+>i{~*WZjK3hl@A>?GtLRtu+2ej8WXK|fUwnpN8U19RkomcB6)~RC=9$u|r zb+VQiyc*gz{aSgAQ3Z;&9s@ZES<41FA#Xq;tt1o5#wM&Ka0`cuw%JpF&jLK22-Q?z z+G2!5b+>shx&B literal 0 HcmV?d00001 diff --git a/tests/mime/mime-dec-parse-odd-len/test.yaml b/tests/mime/mime-dec-parse-odd-len/test.yaml new file mode 100644 index 000000000..15995e67c --- /dev/null +++ b/tests/mime/mime-dec-parse-odd-len/test.yaml @@ -0,0 +1,48 @@ +# *** Add configuration here *** + +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-rem-sp/README.md b/tests/mime/mime-dec-parse-rem-sp/README.md new file mode 100644 index 000000000..b705bffc6 --- /dev/null +++ b/tests/mime/mime-dec-parse-rem-sp/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mimre processing + +## PCAP + +Previous unit test for MIME in Suricata + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-rem-sp/input.pcap b/tests/mime/mime-dec-parse-rem-sp/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..a4c57311343264bfd716c2e7eebc0e2534a5569e GIT binary patch literal 1750 zcma)+&2rLE6o4tjNhZ0e;6k6H zOJBiP@D+R&*LZGoBS>K+a3&$-eCNx#C;9dB$M+yvB>pxWdPgh2Uw`69DG@>37YIoZ zk|CMLgnT0;z~e4TmLvQ^+^nFN9b6m^0}BgFoDsnD|6`ElyC~pw$O%}l9x{0CmT+vicFW`7hR z2p5wCF<~-V)O^B5It32XYzDmTpc|IUK$3tOZTPIS4(#mL%Ei67xAST}$2v7E!o#Z- zJf5s22Cs&;O}|!NV^o2nt;ax4Le{cDPRJXONGr*Nvatzk3EaY=qHXpR;IjY^Cqgw9 zn6?<$slOPKHCge>K|DEgkP1 zfB)Nqkdwq`h&)RqcH%WUh$l>$x8p_?gwm+Ek~>d>=IMFPmpoC`CIW1hKOjK literal 0 HcmV?d00001 diff --git a/tests/mime/mime-dec-parse-rem-sp/test.yaml b/tests/mime/mime-dec-parse-rem-sp/test.yaml new file mode 100644 index 000000000..15995e67c --- /dev/null +++ b/tests/mime/mime-dec-parse-rem-sp/test.yaml @@ -0,0 +1,48 @@ +# *** Add configuration here *** + +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-small-rem-inp/README.md b/tests/mime/mime-dec-parse-small-rem-inp/README.md new file mode 100644 index 000000000..b705bffc6 --- /dev/null +++ b/tests/mime/mime-dec-parse-small-rem-inp/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mimre processing + +## PCAP + +Previous unit test for MIME in Suricata + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-small-rem-inp/input.pcap b/tests/mime/mime-dec-parse-small-rem-inp/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..1b4b1bed3397c0d4c2dd551baa6863692460fa8d GIT binary patch literal 1757 zcma)+&2rLE6o42?kGi`=q=(g-LYCDH2 zs8wY%xh}_(Yw`DTT+a9lBK)4t?zfD7WuHCn7ea@)INHS2Zh8D@VH zAqZ!a1TkSUTGV{PYB~iD(`*L3?VuZ$%RrKV8g2NZvkq+T)XK%}xVQ6aJ;yp9u?P>Z zR`7VTmKeMm+BW@Kd5uv8inbmDISE5 zRAAa-ghO?=c}ZJL0kxw$fL{$5br?{7W8qMxR4GU&)OK{!Ktvo1?U)9m29wl*gt-F-liJB}i1)8XTe_v= zo#XF+doWTO`^VM{=bYM7!DyLn-MCPosX25l#qUx*?XpHachxvOxNhur-NqmXR%?*^ z+8pGnpeBzl8pa8@rFw3^w0qEL_R`mFoY*XG)0-qo{CwOSv@j0ZjIX6;gamK=K^uRx kULa$(M=N-P!+Pm6j*d&JXYq1&i%Ycl<`ZNba{hAs1I;RG0RR91 literal 0 HcmV?d00001 diff --git a/tests/mime/mime-dec-parse-small-rem-inp/test.yaml b/tests/mime/mime-dec-parse-small-rem-inp/test.yaml new file mode 100644 index 000000000..15995e67c --- /dev/null +++ b/tests/mime/mime-dec-parse-small-rem-inp/test.yaml @@ -0,0 +1,48 @@ +# *** Add configuration here *** + +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-very-small-inp/README.md b/tests/mime/mime-dec-very-small-inp/README.md new file mode 100644 index 000000000..b705bffc6 --- /dev/null +++ b/tests/mime/mime-dec-very-small-inp/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mimre processing + +## PCAP + +Previous unit test for MIME in Suricata + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-very-small-inp/input.pcap b/tests/mime/mime-dec-very-small-inp/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..d217b5124e8f1db3ac72d40fa6ea82b09b4ff014 GIT binary patch literal 1754 zcma)+-BQ|65P%P8YfDSZ^iHQ2J6v^?AVknM{tO_XSP+F&9i|rzaFi${ndHPm$C=Lb zExhb2^cDIFeU)C*J?5lP#3_NDgpmFA%brbs{rvGgNal&Z4Ts**((l)w_)$tk5cdT_ z5`<((<}o2(2?_AHjgrL(zYsSo=w%1zhr__!+yZ9=@cjQ6Wbrl%cpY*A)~ovrUOOg2 zc)WSQBLK)aig*lOe-87|`z}Oob~0Dg5Agbat}G{@s~c{=Y4)LBQIEi;T6+))QS3x zO14ynVy#+HwwTGx%tcSryYZIU+wr&yv%5vnE#`B_-JT$$EJC=UYG&FD#n5fpXVi9& zR8XtRR&qm*C)eZe?y!!0q#$P zYAP^oF~Xs`+q|SLrhwYf9l);!j5-V`zp-$rQmPcB6KXrUX&@qwg?3GYQG-e9z(TK{ z+hw|iomlPZecIlHrs*1O%^qw=R}QYI+dZpS+KrT1$R9^Xxq02OOh;#TRNcVYpy3ez zNYZ51D9J0xXrHZGT}?MOq1DlBhq7&#ol9>=7d}9reuvX*dflw!dQv+X4)OlgXiK+r zymS2hZx2RFWB=Hi;ha-jDi|%Zts55#G&P5=r}$l}r(M>l=dK#3hu4k0uG<*oz-kS0 zUz&ql71ZSMMZ-7&w^Yv^l=cog&0hK%2Uf$FW-CejeB7I|FizQw@1$mg1aJH)8-K1| jAY-=YDtLpFdg(KcKa^C@;^piXmuT_LC&)PA{LT0WCah^G literal 0 HcmV?d00001 diff --git a/tests/mime/mime-dec-very-small-inp/test.yaml b/tests/mime/mime-dec-very-small-inp/test.yaml new file mode 100644 index 000000000..15995e67c --- /dev/null +++ b/tests/mime/mime-dec-very-small-inp/test.yaml @@ -0,0 +1,48 @@ +# *** Add configuration here *** + +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 From a89bec8a47728ee1471d5925f77c3e85d1c84a39 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Wed, 6 Sep 2023 17:21:31 +0200 Subject: [PATCH 2/2] mime: fix tests for bug-6207 Fix manually crafted pcaps to have valid MIME headers folding beginning with space And removing the test for BODY_BOUND which is becoming obsolete --- tests/bug-6207-1/input.pcap | Bin 7567 -> 7567 bytes tests/bug-6207-1/test.yaml | 1 - tests/bug-6207-2/input.pcap | Bin 6750 -> 6750 bytes 3 files changed, 1 deletion(-) diff --git a/tests/bug-6207-1/input.pcap b/tests/bug-6207-1/input.pcap index 26fafb50f2bc24dd6a02b601f661842c00bc0c73..ebae12bf223e99525604903ddca7c130287d1c86 100644 GIT binary patch delta 22 ccmeCT?zi4BL5PVwD0AHvFcmMzZ delta 22 ccmca-a?fPL1R*9~uE~>xJb={ZJ3>wD0A580QUCw|