diff --git a/tests/ftp-epsv/test.yaml b/tests/ftp-epsv/test.yaml index 69848da45..75fadc34d 100644 --- a/tests/ftp-epsv/test.yaml +++ b/tests/ftp-epsv/test.yaml @@ -11,3 +11,9 @@ checks: event_type: ftp ftp.command: "EPSV" ftp.dynamic_port: 58612 + - filter: + min-version: 8 + count: 0 + match: + event_type: anomaly + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION diff --git a/tests/mime/mime-dec-parse-full-msg-test01/test.yaml b/tests/mime/mime-dec-parse-full-msg-test01/test.yaml index f9049447d..ea552ac94 100644 --- a/tests/mime/mime-dec-parse-full-msg-test01/test.yaml +++ b/tests/mime/mime-dec-parse-full-msg-test01/test.yaml @@ -2,20 +2,6 @@ args: - -k none checks: -- filter: - count: 1 - match: - anomaly.app_proto: smtp - anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION - anomaly.layer: proto_detect - anomaly.type: applayer - dest_ip: 127.0.0.1 - dest_port: 39202 - event_type: anomaly - pcap_cnt: 6 - proto: TCP - src_ip: 127.0.0.1 - src_port: 25 - filter: count: 1 match: diff --git a/tests/mime/mime-dec-parse-full-msg-test02/test.yaml b/tests/mime/mime-dec-parse-full-msg-test02/test.yaml index f9049447d..ea552ac94 100644 --- a/tests/mime/mime-dec-parse-full-msg-test02/test.yaml +++ b/tests/mime/mime-dec-parse-full-msg-test02/test.yaml @@ -2,20 +2,6 @@ args: - -k none checks: -- filter: - count: 1 - match: - anomaly.app_proto: smtp - anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION - anomaly.layer: proto_detect - anomaly.type: applayer - dest_ip: 127.0.0.1 - dest_port: 39202 - event_type: anomaly - pcap_cnt: 6 - proto: TCP - src_ip: 127.0.0.1 - src_port: 25 - filter: count: 1 match: diff --git a/tests/mime/mime-dec-parse-line-test01/test.yaml b/tests/mime/mime-dec-parse-line-test01/test.yaml index f9049447d..ea552ac94 100644 --- a/tests/mime/mime-dec-parse-line-test01/test.yaml +++ b/tests/mime/mime-dec-parse-line-test01/test.yaml @@ -2,20 +2,6 @@ args: - -k none checks: -- filter: - count: 1 - match: - anomaly.app_proto: smtp - anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION - anomaly.layer: proto_detect - anomaly.type: applayer - dest_ip: 127.0.0.1 - dest_port: 39202 - event_type: anomaly - pcap_cnt: 6 - proto: TCP - src_ip: 127.0.0.1 - src_port: 25 - filter: count: 1 match: diff --git a/tests/mime/mime-dec-parse-line-test02/test.yaml b/tests/mime/mime-dec-parse-line-test02/test.yaml index 3b802ce14..b4c562d52 100644 --- a/tests/mime/mime-dec-parse-line-test02/test.yaml +++ b/tests/mime/mime-dec-parse-line-test02/test.yaml @@ -2,20 +2,6 @@ args: - -k none checks: -- filter: - count: 1 - match: - anomaly.app_proto: smtp - anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION - anomaly.layer: proto_detect - anomaly.type: applayer - dest_ip: 127.0.0.1 - dest_port: 39202 - event_type: anomaly - pcap_cnt: 6 - proto: TCP - src_ip: 127.0.0.1 - src_port: 25 - filter: count: 1 match: diff --git a/tests/mime/mime-dec-parse-long-filename01/test.yaml b/tests/mime/mime-dec-parse-long-filename01/test.yaml index 701e46805..16168ae19 100644 --- a/tests/mime/mime-dec-parse-long-filename01/test.yaml +++ b/tests/mime/mime-dec-parse-long-filename01/test.yaml @@ -2,20 +2,6 @@ args: - -k none checks: -- filter: - count: 1 - match: - anomaly.app_proto: smtp - anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION - anomaly.layer: proto_detect - anomaly.type: applayer - dest_ip: 127.0.0.1 - dest_port: 39202 - event_type: anomaly - pcap_cnt: 6 - proto: TCP - src_ip: 127.0.0.1 - src_port: 25 - filter: count: 1 match: diff --git a/tests/mime/mime-dec-parse-long-filename02/test.yaml b/tests/mime/mime-dec-parse-long-filename02/test.yaml index aa1581fe8..36ef88541 100644 --- a/tests/mime/mime-dec-parse-long-filename02/test.yaml +++ b/tests/mime/mime-dec-parse-long-filename02/test.yaml @@ -2,20 +2,6 @@ args: - -k none checks: -- filter: - count: 1 - match: - anomaly.app_proto: smtp - anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION - anomaly.layer: proto_detect - anomaly.type: applayer - dest_ip: 127.0.0.1 - dest_port: 39202 - event_type: anomaly - pcap_cnt: 6 - proto: TCP - src_ip: 127.0.0.1 - src_port: 25 - filter: count: 1 match: diff --git a/tests/mime/mime-dec-parse-odd-len/test.yaml b/tests/mime/mime-dec-parse-odd-len/test.yaml index f9049447d..ea552ac94 100644 --- a/tests/mime/mime-dec-parse-odd-len/test.yaml +++ b/tests/mime/mime-dec-parse-odd-len/test.yaml @@ -2,20 +2,6 @@ args: - -k none checks: -- filter: - count: 1 - match: - anomaly.app_proto: smtp - anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION - anomaly.layer: proto_detect - anomaly.type: applayer - dest_ip: 127.0.0.1 - dest_port: 39202 - event_type: anomaly - pcap_cnt: 6 - proto: TCP - src_ip: 127.0.0.1 - src_port: 25 - filter: count: 1 match: diff --git a/tests/mime/mime-dec-parse-rem-sp/test.yaml b/tests/mime/mime-dec-parse-rem-sp/test.yaml index f9049447d..ea552ac94 100644 --- a/tests/mime/mime-dec-parse-rem-sp/test.yaml +++ b/tests/mime/mime-dec-parse-rem-sp/test.yaml @@ -2,20 +2,6 @@ args: - -k none checks: -- filter: - count: 1 - match: - anomaly.app_proto: smtp - anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION - anomaly.layer: proto_detect - anomaly.type: applayer - dest_ip: 127.0.0.1 - dest_port: 39202 - event_type: anomaly - pcap_cnt: 6 - proto: TCP - src_ip: 127.0.0.1 - src_port: 25 - filter: count: 1 match: diff --git a/tests/mime/mime-dec-parse-small-rem-inp/test.yaml b/tests/mime/mime-dec-parse-small-rem-inp/test.yaml index f9049447d..ea552ac94 100644 --- a/tests/mime/mime-dec-parse-small-rem-inp/test.yaml +++ b/tests/mime/mime-dec-parse-small-rem-inp/test.yaml @@ -2,20 +2,6 @@ args: - -k none checks: -- filter: - count: 1 - match: - anomaly.app_proto: smtp - anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION - anomaly.layer: proto_detect - anomaly.type: applayer - dest_ip: 127.0.0.1 - dest_port: 39202 - event_type: anomaly - pcap_cnt: 6 - proto: TCP - src_ip: 127.0.0.1 - src_port: 25 - filter: count: 1 match: diff --git a/tests/mime/mime-dec-very-small-inp/test.yaml b/tests/mime/mime-dec-very-small-inp/test.yaml index f9049447d..ea552ac94 100644 --- a/tests/mime/mime-dec-very-small-inp/test.yaml +++ b/tests/mime/mime-dec-very-small-inp/test.yaml @@ -2,20 +2,6 @@ args: - -k none checks: -- filter: - count: 1 - match: - anomaly.app_proto: smtp - anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION - anomaly.layer: proto_detect - anomaly.type: applayer - dest_ip: 127.0.0.1 - dest_port: 39202 - event_type: anomaly - pcap_cnt: 6 - proto: TCP - src_ip: 127.0.0.1 - src_port: 25 - filter: count: 1 match: diff --git a/tests/smtp-errors/README.md b/tests/smtp-errors/README.md new file mode 100644 index 000000000..ba710d16e --- /dev/null +++ b/tests/smtp-errors/README.md @@ -0,0 +1,13 @@ +# Test Description + +Test some SMTP parser errors on unknown reply codes + +## PCAP + +extract from QA TLPW1 + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/1125 +https://redmine.openinfosecfoundation.org/issues/5491 +https://redmine.openinfosecfoundation.org/issues/6821 diff --git a/tests/smtp-errors/smtperr.pcap b/tests/smtp-errors/smtperr.pcap new file mode 100644 index 000000000..b8c3422cd Binary files /dev/null and b/tests/smtp-errors/smtperr.pcap differ diff --git a/tests/smtp-errors/test.yaml b/tests/smtp-errors/test.yaml new file mode 100644 index 000000000..e03549ccb --- /dev/null +++ b/tests/smtp-errors/test.yaml @@ -0,0 +1,43 @@ +requires: + min-version: 8 + +# disables checksum verification +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: anomaly + anomaly.event: INVALID_REPLY + # 472 unusualz@prg-dc.dhl.com DNS A-record is empty + src_port: 49740 + - filter: + count: 1 + match: + event_type: anomaly + anomaly.event: INVALID_REPLY + # 500 5.5.1 Command unrecognized: + junk on new line + src_port: 49274 + - filter: + count: 3 + match: + event_type: anomaly + anomaly.event: INVALID_REPLY + #no anomaly for 4.7.0 [IPTS04] Messages from 173.166.146.112 temporarily deferred due to user complaints because tx got closed before + #src_port: 49448 + - filter: + count: 1 + match: + event_type: anomaly + anomaly.event: INVALID_REPLY + # client does tls hello, smtp server replies with + #400 4.5.2 Error: bad syntax + src_port: 50649 + - filter: + count: 1 + match: + event_type: stats + # no anomaly but error for 4.7.0 + stats.app_layer.error.smtp.parser: 4 diff --git a/tests/smtp-eve/test.yaml b/tests/smtp-eve/test.yaml index 03876091b..bf95e177a 100644 --- a/tests/smtp-eve/test.yaml +++ b/tests/smtp-eve/test.yaml @@ -136,6 +136,12 @@ checks: tcp.tcp_flags: 1b tcp.tcp_flags_tc: 1b tcp.tcp_flags_ts: 1b +- filter: + min-version: 8 + count: 0 + match: + event_type: anomaly + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION # Check the stats. A stats check is a specialization of a filter # that only checks the last stats entry. diff --git a/tests/smtp-long-DATA-line/test.yaml b/tests/smtp-long-DATA-line/test.yaml index 483b8c0de..91c799247 100644 --- a/tests/smtp-long-DATA-line/test.yaml +++ b/tests/smtp-long-DATA-line/test.yaml @@ -7,11 +7,6 @@ args: - --simulate-ips checks: -- filter: - count: 1 - match: - anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION - event_type: anomaly - filter: count: 1 match: