From ce69fa785f20bb1fdd4cd6d3cf40c78c4670aace Mon Sep 17 00:00:00 2001 From: Mahmoud Maatuq Date: Thu, 13 Jun 2024 22:37:09 +0400 Subject: [PATCH] imap: add test for protocol detection ticket #2886 Signed-off-by: mmmaatuq --- tests/imap-detection/README.md | 10 ++++++++++ tests/imap-detection/input.pcap | Bin 0 -> 29003 bytes tests/imap-detection/test.yaml | 25 +++++++++++++++++++++++++ 3 files changed, 35 insertions(+) create mode 100644 tests/imap-detection/README.md create mode 100644 tests/imap-detection/input.pcap create mode 100644 tests/imap-detection/test.yaml diff --git a/tests/imap-detection/README.md b/tests/imap-detection/README.md new file mode 100644 index 000000000..294fe6089 --- /dev/null +++ b/tests/imap-detection/README.md @@ -0,0 +1,10 @@ +# Simple test for imap protocol detection. + +## PCAP + +URL: "Pcap imap.cap provided with redmine issue https://redmine.openinfosecfoundation.org/issues/2886" + +## Related issues + +Ticket #2886 + diff --git a/tests/imap-detection/input.pcap b/tests/imap-detection/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..517936db75a11c72120d26685fb9b70df7a1bc85 GIT binary patch literal 29003 zcmeHQ50qPFm46*tm`)w6yW$oR{5mR~j*~R+<TFRT`&E$2G zyz#x4nWk9&D6C=^>dFEOEC#_UpY~hx3=HvIj=eT8fF?!DX{o{kJ z+z_7Ai~GT^zp;knE@{2}-v4Rkq8!&d7w+TwPCn@?AHIp4_Tih}w|Dhs?!YVOcMJ5x zceL!=^V)unYgxYH{^c#LZOad(*3tKuopchT{Nzw8*NfNmGH4p~8Rc&BFMZtQCtoL0 zs+2l+VD;v%!&*0}yD#~R4*!lv4ax?WtIliXd>})wIxaisB8&(8_%T1n5=AQE4sX=-RhiIC4;q5^FmApZpNVb&=8Y$cUU)6-}AYNpw#-D;6dt z5*rC6JgPLq6HQWQB$eROWTim7POnq&d0kGyO*)Ht)sYwFoJ&|wR7uQ~+S{lIt^`{) z;GzuNlMTRKM!~K5g#oU2TPrsRT=c4&qTt*Bqw-)wDr@%bdG3KqGO@q z_mkn#&9S&+EIJS!!|Nm&3B`u{N4HhI6Az6gL8mA$qmY zK{~dvM~5*`>9v*I`51#rSB%m=x{U)P_a0)rVQ)!t*f{*VD9K;g|)1`lfki zU<^xbr#VknF+?s|#eEC2M6WtAJU%zX#L#6C!^gW07rj&rFN_;v@Q{IMDm+N|Af~O; zz!!^Sg~vm~kx(j1#s_EIOQ(iD5}@_y^{Y4m`zpPxs4Ll z&o-pBX6?rRTgz0dJX__7GBs&TN=pT-pPGs5;CV+}nQ`!eK!CXXLANjH^$>^4=W=z_ z%&Oq>2H4d8!Dp3R>UO#JwYNn?T?&#^w%AR0o`6ZxfXVi@0aeKdNyipRSEY1T?V);--P_CUH^6HciIp7zJv$s|Fa6G!0*aIt58@AQJLN1W$i}_x4A4 zp7#fM-i6r>c)YwX8X9m3K0e@ah3WUpJ2`j^D+L|nI#Q)+Oo1-#(Kk%zM7eNId)rF* z2dXCN8#`o8arph-fP;rwYHwq9KsW}`dxW6CHxj*@_ws)%qNhx{3?~0XL?1a$qIW~| z)Pj8Nrd8Y=d?b2VEy#-h{5NJn=00C*K}tNcMzA2uq8vvp?UCD#K#=bVy1k7Qi1&E> zCrp7ncDAF2$zxQYS&3*_rI^c*;`F2{W+b93WLz#}h~FtVg=x3b=_F;-5z6UVNzO>! zWK54jd8@4%UDvNlg@Rb!!%7O|1I`@OFIsArKvCY5a@mK>emM#iM+T*<+9 zyTu_b?>pY3-gg2)uP+EcyOGPm2YODNPVkG;39l!JK#DP2F(0X-T9DLkG9>4r4mx{f zim}?^V9EeLM#|+7uE1?bGk0TJRmS0dXhhG-8p$ha0m^cuIzcV}*J1hhws7pSTK<;Y z!-nrjYAyd|KQ=A@$_F^Ev5VsN1;SCc>$qvw0`pZ?Dc{km6z>Yck#+eSsuaAf6Qxof zcc7wDb>@XK*%K53B%DOhSN36t#PkP>Qm#}WgT;alUCQEz-?Ka0msNC{=5Zpts@AB1 z*-VfODN~Y0f5V=U5&AhpeKa|TtWieXD@j^4iEc8k6r?QjMSl0LfWNOKW)+1}=q5Ac zQ)0;_>=F?CR=wZeW*W*&Mot&CzFAe);W8Uv8W#(h(k{1$jX^cB{qI-V<)21a)c3X8 zsL$c-I(+5&#Om2YZ~d(i3w7UW=gEAP>GO*gPv*+?raoWWj@Z$dvTjl+>Un9B7iyFRRjC(hD~$-?vAW@ZYJZlhsRM41rQsnWa9Mn8|E_GUsKTXd(^mhy?Eo=~0+n zaT@kn(#|y&NI8tF1a=EJS{32CJU+M28FKSJ!PBS9GfGY_FU>J&0wWdDl7`^V6N-8U zqHcFM%=Zi4aLDfyyif=)a&aEPA8Ua+A3c7^Eh$+3Y1@|Ad$_ha@{+E5P z+B}3i;5uQBVo#N$*vNu=U53i~k>u`7BvS~%4NE>IN=QS@U_0-n&VE|dq+O8ryg{wj zTxP_>St&hbcmPUKU%S@OPoy%Cu#Su&Gu4~Piy2kU^l4IFaTX+fQ}?|2>Q{?t36?*X zQ3_&4B)#ML@^fW_8rYQ=)hT@zmaA_QElmYXtG@}}o+6PkB|U|#tOP=eq~b*%+od%QyQ*d$33 z`Y=s;r9B04rc|>ffFc458RoZo9TxAA*jFi3)zcMDF+hs4~4zFBEp z;Cq~msmdl_xB29YIbEI>ReeKV-Xmqsfpc&bjMSHA<9}M!V-t%NwHRRjVc<&0?Vrg_7Y>*g%b1G3RbA zdf+0L9mHxAfJl$}GZ|$Trl8k&m2tbP7I@X*W1)B?Mi&;&Ig~g!I_(iRtSw^3q z33E?5KD$9m$;(iMbXEoWUR}vU3G>jze7@}bHM7lvfFt{!9+$7qHoK3_Hv3)Fk97Op zW!vobcww7+d@k?2ZH5gs4$qD_U&p(VmdoHm$x1$}0?v%=>LFJc7#M8@~li_~&7~4PQK2w{M zx$Zf0|9JHf$BiRsDXh~;QIm*Bnakk33OJ(nnw56ebf50w!fyGl_JvuHe98NSc^X;Y@{cVgW(TZYeWqT8`>?l#M{sDXFYP%E@Um zE9+SjM->Ik5Ta0xAmzsnyClSSIR#^AL{svTE+cbB^<;h%HaMOF7dQ}emQ$0*X1Dlo zf4|GW*aNNeVL_h%j}|*?o?v$9(Rw>{{eD^z_xg`fd<81^J=wzDj0`)ytk%3`{~WVJ zk1ngV=GX5x?ND|nqJag^T^22{a+U=ZF-N<W%Ur zONOvxP%i96PHKdv8Ca;ErEfG<>#Zo9g7>yggTIbiNqW$A%;#?5o`~P)U8J#ESpEwl zVsfWNSRPvTWyl^*Xr(lfD(bIKKgmwr&u8lXNWHq>@C&N$zxt4&?y2{l#Pvhd=~Y*} z<(V5}RPJv`1;txeMU3JtFNu$iCfeI5U;Edc#3ewCUe*P~^}oax&|{WL#v6Wt1r)?a z&TrpfQUq{Hw5IBh(qEgk#hqjvKWyPR*md~ER)%{A$880b|9#HD+yr-uQMs=n72y8x zSq7KBGHy!otZy5b8{W3ww-2DY=oQA|KXX-?BubEPcP?2AQ*bp$@|>7t&GZD4XFV4#-A8mnkN<5ca5^V_BKj<>+hCx zG0>$~o#@XQWK%GauuMS*reG(g;MAzde7MS1Zcrwa@YSs=YzkgtjPR~|EQD$K-A zox0*aj=Pj@=Gb9rg`7Mi;Y^KXz_q+S?JO6Lk zQED0)b%w)E)NMGUku6l(4c_gf<;uzE*j7g>oY)Y9*)w-E0(Uwm;Us`SUDE3fk4l?X zlpLKh-scNoCr4(3Zb%5}>S-HXR}-u*i=?9OK?rP~!B_wssV-N`yn4t*&$HJPaM#as zH7Uw5JdkpFp-vSVFQxfA9%@!tMP=PRPM#`l^+45F7O%fT&%FLtQ>zrBQvTs^H{id< z5Ez1vHC*JK^EY$wOhbE(#l7uuYPz6pul*I8JDcg(aKJ={6#FT0Ega0Z_&YsSPI+ z2$Dn<;xCA^_(^AgekX<6mnjYB)9jTw@8zFVD9uGx`(aaX4JNwwgNE=3^>&(ykCsyj zB*f%b`)xy-gf!8N+7H*RLPF>*0*e(Pot#FA5UU8SBVvl-k`Xe9x)Fks6ZBf%{erYih zL=lOnp#V)HrXYu?|oJ9}ob;canV6Dt4wb!b|Og}a|5f&mZ=R_4h^T~yOq$Arck z#vI4e%;*@&V{Dmu5tSAN)G5++EY&i~(#mYpkr=HH6tN6ws+pz?35mcxE-6K0hZ4cf zB%Y#(gZj$23r9ySmyMQJ>=jj;-MzMIvyG{Z<&IXWHlG@#Ve(IYZK%y18&_~CXbioq zYQqf-Gqo9y)~d~?22Hg&H_vf!PiX?Dr*Q&@a(ctZY&qS|IQ_CE6sMd{FiyYAaXUff zijfs|37iWVm49wX1p&Qwn-S3a%ZUt1(KEKfCV}$XYD1mgK_*t3&%xpd<&D*0dNf5&s@}Ehx=kiDK?T6rQdSUHlx0aacsH4)^R0p-_LN%2JY4GIN1*O zC5+0aEw~LTz`eK2;1ah7vJ@lbOIdTW4emV*x6g|Ee&D_qxW7M|H7Pd3y?^9nyRB!O zag2(f>h=bXYk~VIhC6KFe)UdU+-XMTQw^yAcL{fgQh5tixP^muxJwMT*NXco;Jz8S zpNS(FGAK5~{pe3^ac3CEpR;g$GjPAiaGz=5zIfd!cJh`Ol{*_!0q)uF8(g}pa6hpA z6dQT(Ww;G{U#A3HZRGtyhFh@Weiv{* z1l*rH4_h|Xb8ka?PU&Z+ZF^_zW*pyb;rJoo_A%U_<+wDcd~u5{?kPs))`nDoThAF> znnwtf;>PWExG!V4T~^#a;C=$QKN)+$q}WK$DShcCTiiLuvDFek0o)0O`)ULC*^X6q z^3F3VH(PKURDfF>Fu3d~>pA1gwaP}`mowZOthmu^!SNh$-#GXUlVUU6m+!N!P$@8u z4_Y{W4!CzS+`Bj~gV}pJW_whoFe*1SqypS3F}O56ElTmB5xb+ZI~eX$t+;ms_w&I0 zvCa3H6dU2D^h4L#9+gcqjz4MP_<7*Iis23*c?K%mUS7#%u%_r$cVx76PGwZohE#z2 zrbi7f10;!jca(U@`&n}bG;$b5?}bVejB>{dxXpCT-9KuxX@~Nc_fgO0R*V0A@TynN zcfJ)fvtyUT91}BR3|oDAN(VUf-)$WH0Cv@Zx^PZopz^h#oNvX{+)kZP{Woj?oF$l` z92QWOP9A1+k1{al&+LG`odLVW3hZ_O3jtVH_HE|4O@aO7=WVnJ6T9kw^~~uE*Z~W$ z5P&^Mf&KCnV*nnVOA=e+o1=y}p8V!2E)Sygstbp9oyNGnd3|k2aPUEJjZQ1%jL0+e zV9zs865UXQN^2CDYV;%kp7Mw_2fkEPTb@~E*XE_j5PiggC;>#TP(+Sb4Mc+3zNFIT zh0^YQaTWJYqz33^1-9%h?_j`g`k)2aD*!eDU@I;}f1esGUBrci(wnHui@>_;EY#(N z&eSz8*>-uEp;Bo1oka>0U5D?2jo!EC{+A3Xn1w7T^AOAi1U1b{-moq&6l3Q@?KU-t z4yFzJGPT-p7b-b7EKjU?_hcSHEwrIgsm@YI7Bg-BXVZ~o0g*3tVtGTF@Ep%hEY=<> z)Pf8>(r#0z;$#+NFCxk6bn`zwZCa3L;n5Xr6{n`TNo_gbQU{hl`3@`#sK!#4jpNW| zXXyXrCkopZA+Ubf^VH!SZueD4$V;QV{Y@=+=;JZ9&~ zxR^fgv3N4~K4I$f*>`hXRg1)>t{O+wRl_W=uDPAlcG)a-(=hJz_;c*0aeVH4w&@hG z)CZ%g4@Sd|Hw&!IKi>WqRX3Ni&K1=1{|=VFxhKOj%YUiGlX+mDY58AhLuccq{uc|j zd8z6GvDE*fLH`S?i7!8H=Yt4L6K5_s z_CMR^8E@W(6*!=2*eqoMIal>vuw-4AnnM_W(d76w%%_(B%zw9yVfU~Y_LkbyMjFFD zT%<&*y#M$$syO1~L3#_?QiBTGJ=rKb zfAck{V4lp^+qoNCICfd<3|cQaK zTxu!tW^O5gKPiS-xoobgkEHSHVsqCXx_t5FIUhHdEqMQm;o_@96u0C)t zqw+WPwi{GXDY7MGREn5&u$1EIueICM2X14lXX`-i>N#{eR?lkGWn9#abw`Vg8rQ*6 z`jfr3xG!ZKTPpiDtOjm3!+jCQ$)LjBvYbQdH@oWcuHLy1GAh?ta2r&B`%J8H%B7ct zhewmByP_mty=}Qo8Qgvb{5_Uxu|sYEKNG;?L)Zoll8`u~T2os^2l&L}%k3n-kMVqi zh37MYJkF524dh>X$(G7xjLP3Nr1CcCjbKpu_Rp5v{EelLGq7h}Vv%wjV9!ddes}ym xJ2Ca_L2=Ff(vH^OGFoRgru8<^LX(hrS|`6^i|%rU?s^NlvoJ@aY>s%2`+q)NiN62< literal 0 HcmV?d00001 diff --git a/tests/imap-detection/test.yaml b/tests/imap-detection/test.yaml new file mode 100644 index 000000000..c20df3c98 --- /dev/null +++ b/tests/imap-detection/test.yaml @@ -0,0 +1,25 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + app_proto: imap + dest_ip: 131.151.37.122 + dest_port: 143 + event_type: flow + flow.age: 26 + flow.alerted: false + flow.bytes_toclient: 23493 + flow.bytes_toserver: 3790 + flow.pkts_toclient: 50 + flow.pkts_toserver: 56 + flow.reason: shutdown + flow.state: closed + proto: TCP + src_ip: 131.151.32.21 + src_port: 4167