Skip to content

smtp: adds test for invalid replies #1894

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
catenacyber wants to merge 2 commits into from
Closed

smtp: adds test for invalid replies #1894

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
238f145
smtp/ftp: test protocol detection in both directions
catenacyber May 23, 2024
a21b780
smtp: adds test for invalid replies
catenacyber Jun 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions tests/ftp-epsv/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,9 @@ checks:
event_type: ftp
ftp.command: "EPSV"
ftp.dynamic_port: 58612
- filter:
min-version: 8
count: 0
match:
event_type: anomaly
anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
14 changes: 0 additions & 14 deletions tests/mime/mime-dec-parse-full-msg-test01/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,6 @@ args:
- -k none

checks:
- filter:
count: 1
match:
anomaly.app_proto: smtp
anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
anomaly.layer: proto_detect
anomaly.type: applayer
dest_ip: 127.0.0.1
dest_port: 39202
event_type: anomaly
pcap_cnt: 6
proto: TCP
src_ip: 127.0.0.1
src_port: 25
- filter:
count: 1
match:
Expand Down
14 changes: 0 additions & 14 deletions tests/mime/mime-dec-parse-full-msg-test02/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,6 @@ args:
- -k none

checks:
- filter:
count: 1
match:
anomaly.app_proto: smtp
anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
anomaly.layer: proto_detect
anomaly.type: applayer
dest_ip: 127.0.0.1
dest_port: 39202
event_type: anomaly
pcap_cnt: 6
proto: TCP
src_ip: 127.0.0.1
src_port: 25
- filter:
count: 1
match:
Expand Down
14 changes: 0 additions & 14 deletions tests/mime/mime-dec-parse-line-test01/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,6 @@ args:
- -k none

checks:
- filter:
count: 1
match:
anomaly.app_proto: smtp
anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
anomaly.layer: proto_detect
anomaly.type: applayer
dest_ip: 127.0.0.1
dest_port: 39202
event_type: anomaly
pcap_cnt: 6
proto: TCP
src_ip: 127.0.0.1
src_port: 25
- filter:
count: 1
match:
Expand Down
14 changes: 0 additions & 14 deletions tests/mime/mime-dec-parse-line-test02/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,6 @@ args:
- -k none

checks:
- filter:
count: 1
match:
anomaly.app_proto: smtp
anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
anomaly.layer: proto_detect
anomaly.type: applayer
dest_ip: 127.0.0.1
dest_port: 39202
event_type: anomaly
pcap_cnt: 6
proto: TCP
src_ip: 127.0.0.1
src_port: 25
- filter:
count: 1
match:
Expand Down
14 changes: 0 additions & 14 deletions tests/mime/mime-dec-parse-long-filename01/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,6 @@ args:
- -k none

checks:
- filter:
count: 1
match:
anomaly.app_proto: smtp
anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
anomaly.layer: proto_detect
anomaly.type: applayer
dest_ip: 127.0.0.1
dest_port: 39202
event_type: anomaly
pcap_cnt: 6
proto: TCP
src_ip: 127.0.0.1
src_port: 25
- filter:
count: 1
match:
Expand Down
14 changes: 0 additions & 14 deletions tests/mime/mime-dec-parse-long-filename02/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,6 @@ args:
- -k none

checks:
- filter:
count: 1
match:
anomaly.app_proto: smtp
anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
anomaly.layer: proto_detect
anomaly.type: applayer
dest_ip: 127.0.0.1
dest_port: 39202
event_type: anomaly
pcap_cnt: 6
proto: TCP
src_ip: 127.0.0.1
src_port: 25
- filter:
count: 1
match:
Expand Down
14 changes: 0 additions & 14 deletions tests/mime/mime-dec-parse-odd-len/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,6 @@ args:
- -k none

checks:
- filter:
count: 1
match:
anomaly.app_proto: smtp
anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
anomaly.layer: proto_detect
anomaly.type: applayer
dest_ip: 127.0.0.1
dest_port: 39202
event_type: anomaly
pcap_cnt: 6
proto: TCP
src_ip: 127.0.0.1
src_port: 25
- filter:
count: 1
match:
Expand Down
14 changes: 0 additions & 14 deletions tests/mime/mime-dec-parse-rem-sp/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,6 @@ args:
- -k none

checks:
- filter:
count: 1
match:
anomaly.app_proto: smtp
anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
anomaly.layer: proto_detect
anomaly.type: applayer
dest_ip: 127.0.0.1
dest_port: 39202
event_type: anomaly
pcap_cnt: 6
proto: TCP
src_ip: 127.0.0.1
src_port: 25
- filter:
count: 1
match:
Expand Down
14 changes: 0 additions & 14 deletions tests/mime/mime-dec-parse-small-rem-inp/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,6 @@ args:
- -k none

checks:
- filter:
count: 1
match:
anomaly.app_proto: smtp
anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
anomaly.layer: proto_detect
anomaly.type: applayer
dest_ip: 127.0.0.1
dest_port: 39202
event_type: anomaly
pcap_cnt: 6
proto: TCP
src_ip: 127.0.0.1
src_port: 25
- filter:
count: 1
match:
Expand Down
14 changes: 0 additions & 14 deletions tests/mime/mime-dec-very-small-inp/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,6 @@ args:
- -k none

checks:
- filter:
count: 1
match:
anomaly.app_proto: smtp
anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
anomaly.layer: proto_detect
anomaly.type: applayer
dest_ip: 127.0.0.1
dest_port: 39202
event_type: anomaly
pcap_cnt: 6
proto: TCP
src_ip: 127.0.0.1
src_port: 25
- filter:
count: 1
match:
Expand Down
13 changes: 13 additions & 0 deletions tests/smtp-errors/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# Test Description

Test some SMTP parser errors on unknown reply codes

## PCAP

extract from QA TLPW1

## Related issues

https://redmine.openinfosecfoundation.org/issues/1125
https://redmine.openinfosecfoundation.org/issues/5491
https://redmine.openinfosecfoundation.org/issues/6821
Binary file added tests/smtp-errors/smtperr.pcap
View file
Open in desktop
Binary file not shown.
43 changes: 43 additions & 0 deletions tests/smtp-errors/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
requires:
min-version: 8

# disables checksum verification
args:
- -k none

checks:
- filter:
count: 1
match:
event_type: anomaly
anomaly.event: INVALID_REPLY
# 472 unusualz@prg-dc.dhl.com DNS A-record is empty
src_port: 49740
- filter:
count: 1
match:
event_type: anomaly
anomaly.event: INVALID_REPLY
# 500 5.5.1 Command unrecognized: + junk on new line
src_port: 49274
- filter:
count: 3
match:
event_type: anomaly
anomaly.event: INVALID_REPLY
#no anomaly for 4.7.0 [IPTS04] Messages from 173.166.146.112 temporarily deferred due to user complaints because tx got closed before
#src_port: 49448
- filter:
count: 1
match:
event_type: anomaly
anomaly.event: INVALID_REPLY
# client does tls hello, smtp server replies with
#400 4.5.2 Error: bad syntax
src_port: 50649
- filter:
count: 1
match:
event_type: stats
# no anomaly but error for 4.7.0
stats.app_layer.error.smtp.parser: 4
6 changes: 6 additions & 0 deletions tests/smtp-eve/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,12 @@ checks:
tcp.tcp_flags: 1b
tcp.tcp_flags_tc: 1b
tcp.tcp_flags_ts: 1b
- filter:
min-version: 8
count: 0
match:
event_type: anomaly
anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION

# Check the stats. A stats check is a specialization of a filter
# that only checks the last stats entry.
Expand Down
5 changes: 0 additions & 5 deletions tests/smtp-long-DATA-line/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,6 @@ args:
- --simulate-ips

checks:
- filter:
count: 1
match:
anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION
event_type: anomaly
- filter:
count: 1
match:
Expand Down