From 6917690f56eb1b414d59af6e7f20b8a453368bea Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Tue, 30 May 2023 21:05:18 +0530 Subject: [PATCH 1/7] smtp: add test for bug 6053 --- tests/smtp-bug-6053/Makefile | 3 +++ tests/smtp-bug-6053/README.md | 15 +++++++++++++++ tests/smtp-bug-6053/input.pcap | Bin 0 -> 7629 bytes tests/smtp-bug-6053/smtp-too-long-command.syn | 16 ++++++++++++++++ tests/smtp-bug-6053/test.yaml | 10 ++++++++++ 5 files changed, 44 insertions(+) create mode 100644 tests/smtp-bug-6053/Makefile create mode 100644 tests/smtp-bug-6053/README.md create mode 100644 tests/smtp-bug-6053/input.pcap create mode 100644 tests/smtp-bug-6053/smtp-too-long-command.syn create mode 100644 tests/smtp-bug-6053/test.yaml diff --git a/tests/smtp-bug-6053/Makefile b/tests/smtp-bug-6053/Makefile new file mode 100644 index 000000000..9a0280e70 --- /dev/null +++ b/tests/smtp-bug-6053/Makefile @@ -0,0 +1,3 @@ +input.pcap: smtp-too-long-command.syn + flowsynth.py -f pcap -w $@ $^ + diff --git a/tests/smtp-bug-6053/README.md b/tests/smtp-bug-6053/README.md new file mode 100644 index 000000000..713156eda --- /dev/null +++ b/tests/smtp-bug-6053/README.md @@ -0,0 +1,15 @@ +# Test Description + +This test shows that SMTP long lines should be handled per direction. +Currently, we track long lines in one variable per state. +In this test, as EHLO comes after the long line, it is ignored by the +parser and EHLO command is not logged. It has been fixed as a part of +the fix for redmine ticket 6053 + +## PCAP + +Locally generated. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6053 diff --git a/tests/smtp-bug-6053/input.pcap b/tests/smtp-bug-6053/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..e2393aad876d5e9f0a5fa888a7c4b123822e1ace GIT binary patch literal 7629 zcmeI%YfMvT7zgmTh#nP{Da>(^>_mtWFQxW^4hjL00!pP|E6M__rCkx|s(_`ipboR4 zcws@o>12YD=z!?}jV2R@C>o{?CzFzCmMlRtFSv=u#ZBj)^S;NNoU_V4?b~VcB+!t5 zfA7DgCwb0~=i3`SkSBWec=-|`3H)->$6>CFq)<5g%*-@vXtsJ#-Pd8YRZc|l2+d{w zEM`LScM^Dbz~jvhq zHpkil#* z6SUms&_6;oJJxHa%!?Zh6+`AB@KwP-}^^Mfz6@iIYRM?$tm=zbvFA4mZ_5&*pYWR*pj4Cj~9QGzIQrw%NKkYe;Mfu z%S+^kVM7Ggn?<43@FX*9?)UB=`AJ$;-h2qJG*Kc8Yj&FgumW#bX{uxknU$tYwg_)D z@h%hgnPj6$tjQ+MI=QiN^X2Oj-?`)79?!Q5j_-$%uL4`o5NoQ1LQBEP%#Dl9TWi&K z)IObkQ8-1(TD#n)fYmb)p;&`HkxouYNLoo;$8$NCt37D^%7@1TpT!5wSHR1M zU{@<~HRn@M6~Yrznb%Rf=)v?>$Dx+Z~uuYpx#sVU|qK*9p!W0o#3=m z=qw%UHWA&qO%z%NWM(dpD62wy0+PFzsi*&(ZRbYIUA|1vTRH&LShk+X#(hj7cuVj^J=on^zNg(79iSe@DRHdq zgxeI5ErHLPT%n@v`3q>Poi^rLjAnXnuv{vW%0dZq?KY12TWXMf$4J&^^(|X>^O=I9 ztD(R`%rp?DW(S2BJ2R@*(Cbfcs=78@YMqHwl33=KZc~6cdI}+JY*I3?*6;*4E9(3fd?HQzphL33ho6g`(j}W-^QZ+IKJ9 zZ({A7p`AEI#$tQirT})!TKpXdof1<>9cPNZb-yjJ!FyF~y+;J!Bsh8|6j+8$3y3Lb zKZSJQVdjbJvUS2;Q*Bt&v~rxXlr??rHU&(<@QF@~)9Gn_%B%Wfj3y&|OJtH36>b;w*7_cc)nK96{M$M^m^sifgT#kJCWY?89g zT@W-!QowW?zQ|JzNqX{L-aE#Lwr#j_`(AND#`}k=ca7On1-y7U7I_kptA)G9I(6Ib z>}|Nwzxx+OJ5G7sHI}4+C~pO{BwvJY8;*624L`wI=S`Y^F7SDx`Pz!erF^U4+~v^T KVaA#@jL<((78(Np literal 0 HcmV?d00001 diff --git a/tests/smtp-bug-6053/smtp-too-long-command.syn b/tests/smtp-bug-6053/smtp-too-long-command.syn new file mode 100644 index 000000000..30a2446bb --- /dev/null +++ b/tests/smtp-bug-6053/smtp-too-long-command.syn @@ -0,0 +1,16 @@ +flow default tcp 1.1.1.1:5555 > 2.2.2.2:25 (tcp.initialize; mss:9000;); +default < (content:"220 smtpblah.mailserver.xxx.com ESMTP AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZ";); +default > (content:"EHLO Simone\x0d\x0a";); +default < (content:"250-smtp001.mail.xxx.xxxxx.com\x0d\x0a";); +default > (content:"AUTH LOGIN\x0d\x0a";); +default < (content:"334 VXNlcm5hbWU6\x0d\x0a";); +default > (content:"Z2FsdW50\x0d\x0a";); +default < (content:"334 UGFzc3dvcmQ6\x0d\x0a";); +default > (content:"VjF2MXRyMG4=\x0d\x0a";); +default < (content:"235 ok, go ahead (#2.0.0)\x0d\x0a";); +default > (content:"MAIL FROM: \x0d\x0a";); +default < (content:"250 ok\x0d\x0a";); +default > (content:"RCPT TO: \x0d\x0a";); +default < (content:"250 ok\x0d\x0a";); +default > (content:"QUIT\x0d\x0a";); +default < (content:"221 smtp001.mail.xxx.xxxxx.com\x0d\x0a";); diff --git a/tests/smtp-bug-6053/test.yaml b/tests/smtp-bug-6053/test.yaml new file mode 100644 index 000000000..88353dbd5 --- /dev/null +++ b/tests/smtp-bug-6053/test.yaml @@ -0,0 +1,10 @@ +min-version: 7 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + smtp.helo: Simone From 90e416e69780f44a5668781a022475839757ee77 Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Fri, 5 May 2023 13:54:15 +0530 Subject: [PATCH 2/7] smtp: add test for long DATA post boundary --- tests/smtp-bug-5981/README.md | 12 ++++++ tests/smtp-bug-5981/input.pcap | Bin 0 -> 38789 bytes tests/smtp-bug-5981/suricata.yaml | 14 +++++++ tests/smtp-bug-5981/test.yaml | 65 ++++++++++++++++++++++++++++++ 4 files changed, 91 insertions(+) create mode 100644 tests/smtp-bug-5981/README.md create mode 100644 tests/smtp-bug-5981/input.pcap create mode 100644 tests/smtp-bug-5981/suricata.yaml create mode 100644 tests/smtp-bug-5981/test.yaml diff --git a/tests/smtp-bug-5981/README.md b/tests/smtp-bug-5981/README.md new file mode 100644 index 000000000..4d4bd09e6 --- /dev/null +++ b/tests/smtp-bug-5981/README.md @@ -0,0 +1,12 @@ +# Test Description + +This test shows how we handle long DATA lines for SMTP. + +## PCAP + +PCAP comes from ttps://osqa-ask.wireshark.org/questions/33094/extract-an-attachment-email-smtp-cap +and has been modified to have a really long DATA line (6512 Bytes). + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/5981 diff --git a/tests/smtp-bug-5981/input.pcap b/tests/smtp-bug-5981/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..64e9c59d0b23c9a58ab24e932121ae82aae05a0d GIT binary patch literal 38789 zcmeHwYpmMiO? zNww?zNRuZ0(Mb`cc9YsE;2%xU28L@RZP21qw}0x^MQa!_f*NhwB1mf(=oE2kAfEB< zTBLZ6j*iZ`clt@e3EG}}^`E@pOTFonKZ2T2PfsBJ6Nu{%{{26MC$oi8P}b+2{#qNkO5X?ye|0a{67UPJ z{wpT|pE*jvpFjfMfeH9P5)u$&?%te$fFG}uY9$*ilrmy5C>IF)HkuMwD&gLP{^CFO`67{Mu+}J!I^$TcU9ZMny>AAcFYM(S z(y;QU4$|L0Li&C{+5x@&SN@jI*9xZ>-Fl31^}S_}5wV`Y`TM7e*ZmIQd=_#3_UBxj z)l7QViFDVUv9ibM2YviruHlTUKj7ee`3UE;fO7?U>!W|}^VJ6Fu+&huQYQMmi}kIb z@5ajc%&T8_u>SWWPFH|6;Z&&i!sE_{IsOD3DSNq=Ztm4@I=Vi8QWvEAhai8#kyvm# zd@g8CgIZ75y1{2Y5WdIUW1e-v20(dzFV_eV)t8Zg$G&kyKmrJO2?+S$+yAo9ClRp_ zOsgg7e(-}%b=|z+)!KWj;ZM2I{2)Z(nZIl4U|#(*CmmlpO23dJ?Z_tgL9K>qp>WE&v=CTM%^SN;bSQ&J&r^4|`+yh3}8%=l|>aghD9 zBV@k`$UcI|tY3%95Q|nN|<1HH4n zAFSw$Wq)D@m-~Gv7!F2)&q%A$vTu#_ptf9Uo!(fVEEiB+cx|cQ5064_|aV7t?Bbce>%Az4BdkuZaP_llDn0y1scYVdTqX>$Ni1o z{mFp;E$!)Q($(hM=byd{+w&hP>YJqucYKIp7!>#kaS1NYgztruTq2%|GfxNnjk^-G zlluIAQ0jN))5X+S21|y~@94qOYB`!>wP#oTQ8yR@824ha5MZhF=3oWxij%IsxgR7Q zLm1XfGAN6o=87yU_3^UV?d5mFrIE0o2a5)g^v8OsAlwhi^J#b0(Yrx*dl2LPan&D4YaNf0Ry8q@h$Ti(O_k;F%&@i=pq zz&ve@wEhJ1rPI^q3w`Wj zP=JD(2}*w~_+8@DENj&7XiF$u^muW1InfOSI?=}Z^H1CTiPLlHYRlV!wzY*Gk6xyQ z?=P(BqK{hdAC!93Y(NP+r9I%+b4g0Lb(65vSD2qUFZjuo|faU1ZrBgJ)VqL`I>+G=yLQahrK2rq#45@_O+#3lqDg>6BINgx*3 zY%+HCgyBC6FMcTA~FwjwW?c_9>PXH~0{*^I@51Fs1Cj*Cpp9)}H0&l>R_lZ-ii27|%7u!W7V3qCd8r(t*BCQV zrX>dhB;DJpc4f{DmGNfSZ%UM`L1`v~bw$eK4Lo6${S#4=Cs8L=PAYj~ORnrlz1wSN zYpbrn#+vosy1k7JKth_GZUy{K2yjDK(4f424HwT7k%a=Gy3AUrF)ty+BK(j_+RAi0 zD#av3o{%Z&jEi<_Cv1y`xW((|?aaWLfinYV2F?te88|a=X5h@gnSnC{X9ms;oEbPX zaAx4lz?p&XD+A~*{9*9FyaLWLlw<$P8^2oqnB#x>>sS3R9}Rh4ob}K6eDY#fG_zAO zQ}`I^R1!*_7|P6#+6Rzfgi%C^&GUT3FVldz0P%wjnjlDOzjShG3Oh1p9p zPa4^#ILsPl&0difuSm^|M5<)L2mFG)3Ugt0)v~invC{2unN(lvWzBAuoi<>GopjkM z8)F$R%1%UnQ5O|n(O{C73}6B|lb)=VdIMH4cNkKclct2>w+W{@Tp z=IC4NLPZE;E-XmacIUH+nT_(c<6v;^J)To{X4GN+nlh8l47zh?S`y;6CFB+@Na>iD z2jQVDCK#J1a#Us=Jrdz7m6U8l3Tz@5Wrl`uj;IRb&f;S}u%&WMWvMn5B?>nqya99W zZ3JtkX-qe48~oYN*5j;wNZJubt%|l%Q5b2^;)??%TB?{kiK*^XL12^}iK^8m>=p2D zl>~7MA$wva!uEJc(>EG~WCgZ^%E3?IAi{Wvu%DxcoDl^Vfm0xBLah?;*Mw0?WzyA} zkmk!mC|wz;6{Xr`%hf2!wHc0BSW2U))%BsEHwD}`&L%*5dL?87e$ev~vOC~cnPMz% z`8A136j3&z2DMG7J}gz>NI%rJilDVnqMECyZ5XJe`@-LMvj)ImtoT-l8(NoLnj zc3RBpPU=gmUX}CgOs{QfX`hOKNateer|jBU)4d9G1vLJ6T; zJR51(6NSd2qMD2LVxD9=JGwRLknzlzrwwVAT~v$dgq++-0sm~h94eH~TJu6)Z0F|D zg)ESb6>rPY@u*oz8!NLbtajYE!{n!fRXQ6BnPs(@$n+z8LChp8>zS3$sg$-7vjP7+ zrRFn|S&2=AwzNy-;yE?fs#t|~x6z8GB5vNH{eKsj{jY)TM>%2tKknH7U%YDnfBug= z`~S*wK3`ciWM#v5`f6EjY?PV0D^zJQ#)gNbaJFq$imZ_|&62%Xj7E^oe0@IXudGN_ zRh3*+5fpng6_a$CW(1;#ZKFrBa!u%?ZQSFx2Y7bv5c15tRq6NEm_Mdm)HdSN-1WpaF9Qp zn(zmbl2$JyRZ~?WSoJA|n~A-k<2usQCzk!2|GLBkF*MEdO8ayRt+`OG4+VO$y!sPL0g8r zj6@Q3IypD>bX4LvlkTRs%~)0AMkynr*qKForq0$=t=BT`d|8|Z{JnKQ)#LJ2HMFRP z=tz#UtqtL zE8vMur>Frvi?o^(EmAIz=B;V5JWE%M7y^8|#zx$^{`8!Sy^ z+LWVN+TO>2OlFht!^2$=28T2)D$qPb4q{)B9X~V=-L{y8m@pBzUG!4jQ}_3PH?;ge za=YdKJC5c5g{zkTmp|@V{%^bnuZDhy+eOdBc~fGqgypIuD4BIZH~kSs%gIjZ zc)h8G`;jYxdF{wp1#EjZGqG`}F{632yROf>ZCy_$N*Lzcd62i5EA>@j;^f3ZIHvd@ zrH2IUk1=i~KAvd{zU~QXLeWzR8U^`9L9PRSJi3Sraqdfolh2rX6bFOH>4|9fK`yp& zZr1-!WKeREAUntmjF^!p-B`y5Mr+J@?)1uVX_TUY+diF<>rv^}?&0r{cY??bKb55{4*XR0{cNHhKxH6Bjw) zm5dwIv^qQfLeTO*b-U&Nb;t7mwX2r@CCRh=ul}OXcc2k^%?D?<9UsDT(gAf6^H1nA z7N!N|X1*}Tol*eSXe1@*$wT&dPr#4Ao*=eE40wz-ELTbH2SmqLubv0|9)@ae=5)X~ zux|}5+`kErJY^}AQwT0oiX33doSKE!@RrR(fbA0u3g{<#JyJ*ly)BL!VMgFPk0zgjhKDN zA*K>z#c)J)i4EgNe!RWMgQpS0Q4ULkckOV0$(x4(RHJ24n&)1D1wUW#KBehhRX<4+|}PpMiyUD95usZ}?RCH_-CG_D`=`{$G2{ zvHVXxc;7$zEuYWf%)@+Y@3ser9AU2tg%!)ZXJHPnA0K<^z?294`1>ewh~=0|uMC10 z0ooduNv8*T<46KApqAUjZ4dCyQ*xXtJjY%`8cXwu?P^|nH=yPiMMqFP7QB?=HSfOT z{b_C3f5bl9MQ<8=4j1FCV;z_0H>dRSo<}%>*l>IWb6K=80g2!U$0^&;6Zro2B^`8N zP4xs7!`QKQBcGN|M=twu9QNoRVspKo3cQDZb=-o_9m!tXK`6F~IJUzL`?KB{3-Mt4 z@8qeIE7$o9U=99JsJPy$uxl&1o_S4oR&q^`R&xE${jdD|AIVSt*((e#0&_Oh^&U97 zMc2sD)w{0iB?)!?_*eI;oYl(jyA*Pnxvo9Cn}ey4x> zuB%q+;}whEqL9${W!{@^$$;P*zv zha)Mx8}0M;e7YWj&tdzA{jq?*zL0se1SpvAC?kl+8w=vz3&;I!vD{G4uS0M`u=e3N z;xHYD$L{#zFvQ{HhH?H4k+{JyujOJJiOaze^35MuIcTZLmCdWE)Q5jmWJ zWN-8b1^nm{y6^{av5D?ZcflGOF>+v2L8G)kcMR>S6@lqao1}}bKM<~WB7hAqJ|xZ? zVuVq|Vn1S#NSg2LQ%Y<;Za6cekWhI^6M^qeL*4Yk26vylIXFj;V#w(OqR*0^;QSwe zv3VMwcX;CgTS=`?!IuVJN^;sudEleuh%uF&G&%FPY=tc?@+#McRpI5Fxr?SOST&xK z03*fQ9f%FeI81a6!D#Ugj{?accB~!<2DS$B6GhiF`u_MjYYzb%+*KnSYJe*O&zQhCIQPoco=`>Y4kj2WxYIjEl1@3J9B5a@xq`|lF!Rd8JQHQE zHNAq5at&6jH*gwrfhDFOnAviqk#LA&BWkWvt!6_?HOs5XDk}_HD&!{cruT9xc<}V% zY&1-U3Zt}8-Aus94&?eu>aY9F*-#n^{I2%(R&o+EW%q!KYA@`H(ZaT!O(qdrK5%4XA3d4S=H(NCZyZk_(4CuT)9*9Xv z%C^RNwykzX9og!)N)feDqtgA&C`57W0?AXA9*bMMVptU8OxAheOqLhTGb^g*?nkD?zB&!xM{>n2EKmc3N_yuGhzJXb<7j=$x&POO2~I}4%(c4{_EA~ zV1i|^0L*D?kl8HsW<2lG_rkaI5Z-KoWo`7+R(YN@A1bh7{t@ot>?RKyIn+!bhJ&^r zv*KcNvEf|;yfu)v?M%jwX0zlw6YvHdJc*i6BX666gTut$%js=rZS$d7sm{bfW|=yZ z=V}2z{_d=Jb=L}4x3N`a8=IXL3&JgUGvHFnaO_Aprxg$dtilC`9WG8oAlo=Krj~S# z?j}lfH&Ud#y8_)^=jiS{OLr$35P>c>Sd@U@J9_B8Gi!ufWiewjS3t;;zYEkBs<+xq-ZIF|pNS1tdiF5W|V^3y(_p3TrYFMx1#H%`&r zaFXt>Vsv*Frn~(e-PLWntF7p6c?K!$mZo$!Gp4)TfbPUiD#fKBB{|GvEQ6;~;!(Su zmnM*oHmwh;m=@4>n3~st;}C_1z%6GF!>}vVtrWG^X?@=CaGXMc*dES@hr`2g6APDl ziCpaF+KejgOj=)SCvg;Mo?4D$)UqF;mU@U%Y+{4=_n zpCAqggY{@R!4&!nszeWIJp%6n9phkD**ddKla29H zl)5a`PnO54xqvwlDr{GjT(D?^@1MfaC{~s?#qMGo&hx!QLKhBe%WW7i*266{kK2?X z!<$94ksY4GkF`0-U4xziwXY`WoNo~H`L|d_GDj6Of)>$keP%o|1JRHW4$6<-v zP)1`-8->X!6j(y$jZi95EUY;q(V?*?>Z-K?#|TN~m_=fqqp1!BWzn@AHzBy53l0W& znTs;o8``MMPUDzVX-(7@af_9VkKnrL0w?xbS4oU7C_MQ2XD9h0mt&c zsHs3%3cHe0$1#SR5V$2IE(FB=9=DU&i#o(`Q}4&k1qZ{j&C)WK zhR6jE$8me-n|QsKN{!*(tL*~h!clvT7$Uhxs}sqh!Fvc01!#lcy+B>vfz4P)vCg9H zKuhS_*`&1DES00ol+|xC;xd)(2?bs;)5i!da{+TA zRb1bO0dSz@LLAs0APNIeG|=+@7+C&Kz^6G;j=hn0UaI^cTK-pm=BnlYwEG?kcq701 z$37pVrQ)OoT0EK`M-yc^kxOM`Eh!oihhZj4LRO>J%CcgSv&{^=+IJ(Dsbxa+xV(~= zUY>gU3sx^v<8n%^`ANJThxT=8(pqOj%}9S4v0yw^*a|HH=0#b%DiGyn8%LFR@hA_y zSTFV-wv()`0K+uisgLQ-mZuBF>N>itNoBE}R-y$?X{L`ExSE%kpVX?5e;9_V*PW6c zf&2|2w#kl`v-5Z|zJ$?MbuC&wH~u8V-@&p3Gt9Sdbg7|W44@5aI9eJ@meECG)YKcb_Hc^HX6 z+h43RsZ@EJD&{xI1!X6a;Z>qDgRx6IIiANC`Ye_#Ph(PM5}i|{XgfZPB)0uXVcZM1 zb#pFu*Mh?2Z%?o1DFGjavu&#|w}BoL+3{aodQ7Yi27v!!?=f*6IG*LhbuKr1M4Z=_ zR^X1urEjpo+M!CvsS~g^D7*KNIBySoYqDVOv>&tKOK9jrDHJygds2cN<`FQ317S?9cb9_!i&@W$S^CJ!*4%$u_&r(7`sZ(7%=$~tV%Gfi#jKxpKK*;=%BO#S z;&xqs!_g&P*Y(-olb?L>;9DPp$DIvVv;GA*QulK0^TzyZ{~C4u-T!$~*HfTN^!dUu zCO91iL!o3e%7jwkRB&bm!|`wkR;ObO&w%#$Ual>@eWu#LrMC}0e6;lT_h9Mm7Xa + smtp.rcpt_to[0]: + email.status: PARSE_DONE + email.from: '"Xxxxxx xxxx" ' + email.to[0]: + email.subject: Testing testing 1 2 3 (Multiple attachments) + email.x_mailer: Microsoft Office Outlook, Build 11.0.5510 + email.date: Sat, 14 Jul 2007 10:31:37 +0200 + email.subject_md5: 3b37c0a6fd82b99b144a7be7274f03f5 + +- filter: + count: 1 + match: + event_type: smtp + src_ip: 192.168.1.4 + src_port: 3326 + dest_ip: 217.12.11.66 + dest_port: 587 + proto: TCP + pkt_src: stream (flow timeout) + tx_id: 1 + smtp.helo: Percival From 266a2a2b7d9981d7f9590d28417e4885e6c6582e Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Sat, 6 May 2023 17:13:03 +0530 Subject: [PATCH 3/7] smtp: add test for cmd after long line w LF --- tests/smtp-bug-5989/README.md | 12 ++++++++++++ tests/smtp-bug-5989/input.pcap | Bin 0 -> 43755 bytes tests/smtp-bug-5989/test.yaml | 12 ++++++++++++ 3 files changed, 24 insertions(+) create mode 100644 tests/smtp-bug-5989/README.md create mode 100644 tests/smtp-bug-5989/input.pcap create mode 100644 tests/smtp-bug-5989/test.yaml diff --git a/tests/smtp-bug-5989/README.md b/tests/smtp-bug-5989/README.md new file mode 100644 index 000000000..c42af5627 --- /dev/null +++ b/tests/smtp-bug-5989/README.md @@ -0,0 +1,12 @@ +# Test Description + +This test shows that currently the command followed by a long line (>4k) is skipped even +if it has LF. This is incorrect. + +## PCAP + +Locally modified. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/5989 diff --git a/tests/smtp-bug-5989/input.pcap b/tests/smtp-bug-5989/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..5b7ac08c2b6c9e3334d6517b94a1bc8023c40429 GIT binary patch literal 43755 zcmeHweXKLtd6##yNfT$?Zn9~+X+q*|O4()heP{e_zsZ(8^I>~zk3BQ~Hf+kCp#rf4{vi+qQPij+f&!`vQ6v^MB~r7Sm*<)B z-0SP>d*63=69LkU?&JA>&hPxrInO!sJaguL^*{!%y+pw=6eKo%n#SPcJT96hd1(DvM`|KtT<>TRF-QPhMQAI(4h-LJlq z`nRC*v7dSO{rkatjy4C`qo5~#5Le3uvS*avv5|e?1lePt@5}NN_wOgZ?Px)$FF)zX zDWWGo|LPYJ(Wk$8g6PYLNPg=6{onYQ&le6e!R2^0W0=t0vDP2m-EOxi@Y|V=gF;!V z$N@j`7LNgs0gnNX0gnNX0gnNX0gnNX0gnNX0gnNX0gnNX0gnNXfj7kfdKl4*3BE*I zu6YF$%6~ww;G=(X#w+;8;LrR0fBz5R&TOF+l=VfYztKhkKPr7IDEyU!oH_}8Klkdt zvYmvVKXDTNF*pgIL?_{glHeqaF?Viu5(fNuo>VK@V4;)|i$S?S;J49~xKb%E3eI_1 zl!by=6pI;qKbU02iX=*K7BRjJ@UaKEmhq_aU+s+l(MiUi{OT+B6u|hGzn=5?F4K23 z{s3sp9^_iC@4X6Cf@}1DUCs491#ddhL2O?&y6x=zQTI z*N}#lKe3Vi-U-qV0@4oX?Z5KNK3^-GUUus-#?kkV14hJp2IudcbK&0W0M2I-=WqVD zgR`1R?>mw1rZZL!IQ^iHKgczlarFmmoG+i?d=_x7L2rHZ&wakyARU$(>Q2f;pLejn z6ZGBa0DtDyZ`xS@`w6FOz?!g~*6)Yg?FCExaoAE0axLH7tKYVDeetX=$oCIH`Gg~} z;B@$0(3}Rfp00I+&wMC+m$}P4>wpb_^7=up5g@8BBLRx6&=5bzQZ@R4`_MW0V1 zVj-ATOVYjIM{Jk)_6657es?|mDJPj9gd|=#$hCYhul}i>kFT8M<0asvf#uhL#tE$l z@_|lvfQPGC0x_9sDKRQyGsPvzuFuu{4W^b?SP8y7hP`nxvh ze|G}VLB#fAa*g1(1Iov_1Dr{{t#2sStF4ZD&B@%QN) zD&EaH%Io$(@2u_xEBbQPpP0ebVI2yFgOT7f(t5P&&qjJsTdlNCZ>&#NOK32>w$kqf z%i8L>U?>{Qtw+Hy!z6+s=3XRpFOmpS4D1K|Xt3|p^u@A2o!kqC?!qB%I$42|JC)rG zG>mQa+G0hI`&+&H;eh`g?df{b)fT(wpS}aj^B*nh+m#Gge3W4r6!-~o2`bYHCa{a<5jcU%kPIPBVj!cHVqQ#kM&YPxEGWc)9$*X zcZ2NiD8<9+U@d-^VeW=g@Dm9|lJ=eDJC&l4zQauy3w@-mrT`UlgG(&JL1(P%i% z#iPkoG7=FYJc)8lQb>Z|9UUN7%x%TB)!tX~x7LYpiNeQ`&abf#UX zM)!h=c7KKGUsSB43KY~#Q2OJ+H;GT1%|`u>wt~t71C$k-inKaYQqz76iG-^-Oecpk~kp^T5wm}=)#AMiQvaHq#R}=@eev}Ip zH7(Q&3yV@YL~k%RMN9dx1&-_LgWdVlFqnjwf4fUXox#J?=2n!9s?c&9s?c&9s?c&9s?c& z9s?c&9s?c&9s?c&9s?c&9s}Q31~AI>!w`RY1;S-0r}3A!e!cujJO1+5uf|_K5pttA zo1gai3k3c6n{!qvfhn>NAAN=7a8AKSj;CJ{wq`*ZQ~!@}AQX+lcr%ZWUkMY1L_P1l)g zE5Pdo=Wcddb#I3h`h?>gw>G+U-6h~x9ak{hbG*uMVu=cF!4OZocLV0~F@k{q6oVih zVPLhh7!C-U#|R{mhynkNJc#)V3_wBj7{e)oK@<@PP7SgB{or#Sw|C68XhMPU@mnx) zbsLk-4AR7ckG{1jRD>{=!jfby$Dd8iY?Qa`0E2z)sZZVZsDuBSGLyCk-M%s{32|#C z6n)X;h`la7>g%zRAy~G65%VAlx#r`EFu?WhKA!DQ5DAV;$u0mrE*PWsWufQ z3O6Ub0Y3LOf;H1L<{OqR{v5pZ=(P_?d%~zy(NZc3BMn-7aiBy?6>~2!)x9bRjIt+D zwc3QW0`aYqAnxGEfmn&KJzmoEtp-Q30^3355GSw^VLC)O_~@ZzM8QE|SIC-Bs|5Tt zVN_C?bhRd=`LYm7S4L_@sdm|NHA-@Ah9fhqrBT%C#85Dr0^u8b5g%~Q@p{%-@*r?SHt(*1Gr~q-8 z&UmyA_*=V})oiE(sHdUPXtfCsNY%{Iy;{ubwUt7jDQ@#zs5KmO8K2*PKyK80*@2Iya|$Pnyt!v}hv|fi&SjUa=Xryh}@GP4P>t?h#XB+cm zo@)sOGZ0TqK#!o^DM#WIQ((X+xT4m(^lAAt(1zz(3!th6<&# zvqd2mNW&{33O3h~^vl5#KZE2s%#dB(|Rhbpq-9{^#ia2G5_Wwt~?0*AnKgt>V|0&!4 z|NK?^|FeJS+W%Lc^ZClEAuC(H(^t!KW2?;7eW6N=F*ZCbg|lt5Qe=&!X_lX}Ee2O2&t%i}xwWrozCFz+? zOhL|S^~H!U^}7Loq0j(6nq70yYpR3wzOE=`HkP07+G}nT78kXBK0*tlZgh|d*E-`| zT~e4Gujh6NCa1TVRjeqDh1D|I)yL2hS}H`XE5)|4mUiN>!b{WM+RWsd=|NT#m%aQ< z<@iCRmDc3CG>NIDV!N;v#%(IaYb>Lswws91YfH0Ll}l^`ex(#M*ST80+1aXLTC=uh zdc;(A({yw<%1slbJSo;=g7JrF*74N?T2HR)~ybXjidW zC6e3JrhFz^ZSG1PF3$`o*-TYC^GSPC*!JYn+GvIMldZ2?Q7XsGOtra`7ja{rYEM~h80Cu1 zfznDUrE+qZNsTJg&}LcE5^9%lS|ipD`1@k1w%~RKDP%30s^nTJDV9p^RVoweO1a`i})EK?*=*k;lhrL6B( zyF$7eZ-i-axGF0UiA|@d0X>hjniDNjE{_(iX|X&{SB&I*HQ}^MyByh(sM4f+gRo?^ zV~r^vg-#}xF7@{?Iv`9z)brWo+B|`VxBx}MzD-{Tb zRy1XSt%QXWoHdMzV99|U#>MV=q5o3~G)*VT4DS$x!q((Ow9|GM3x{CsT#x42**|ng zh{x`i@UU&;FUK@^=*l8PA{Slyl`}W)+@kHqdu~4Q2DHgEl_U|G&JxiE@9ZZDYtaEe z1zn^JJu@M8zOs-%!op9K7}$@>klAJyy1y(7SHc}YVpE3wjI(dRe#hSDDJ)agw2#<# zz!BKD@4$V7rHM?Nax_a@hZK;>Y!ZHWxC)NJCQXY9bk9(NI2L5b4=h8cFJ>Vn%mgkM zqf}?t`90zdE&q?+Zu$R?ZTWxhs^$O1Pq~)=Td%>(p>J@x7@62_N*t81Ty+E$6zc97 zVcp?3UX16@FGo2%e}Qw96MCkIq@8Gj<2V?@bLv#x1pL`acU!289sF;Ybv$#RTv1$ukBMLbVuL<}kC8(xw ze2PtJt(~XrVRdwaCVxH->>#mPQ;{LYTg*53h5#kJm@qY|hS5-_2w3?N3IB#wJl>6upQXU#KxV*oaW8$roQO5bv>CV;W7Klqq4

#m?C6g`!oQIKC0iU<&3#U zu`#%uo=Ns_$iX(w&HHae1|EnB_Th zzoBhzaE&z{*X3oR>kZIitN1}r7FUAS%YT)Nk_oxAE`jv)$o zDuwbi8@&X!iHj0&YsL*~TAe+AA!zxZy4~{ss%`oI+EvT{lH^+cSAX8;JJJZF=A*sa zwvXZ2`G7WwAxPKEKdCF2K=MY@x6gj}0*)0pL;Vp}c0Q)C+Fcff&bs^w4 z*4bez&$HO8;2K)+rkiZn-K+2z;y7gi&!b>p=eFxhZ0Df37%=C^01EaCsKwpJeM}M8 z0Y7qpngrJDA>vaE$N-AnyP$o;e&fW}x=0*sE(W{p4BS#1@Ol>k@{R&yqr=we8ZqL?29IMYxa(6EP^()P zu42P8=ay3przyMpPCG?z+#~M#90p_pEd$nub9Lb=wg+H9%MTMRe4mHUTcMnKd*1Td z@~@%gf9;=MwfukU5!>=Vb^inZ=r?>mn==>lxwX?D9CL)DDil^M^R9(CK7YFH<^yvc z@Z;~p$T5~vF5Nl^Q3U8~9474%=#5Vjhyk_SCQg5VSDus8T;V>B8q!#s&n#EV(!BsR z$0$02;u3pkkOhwr=EerqhwjaU6#u`UlutcccRE;a`1j!TV0+pzY`= z_KEmxhYOBp-DfPsgZ;l_AR@mRoLU&=gM0u(HFlo6!kJ`3X7 zJ&xUx#2H!PbY*5y$yB-gcfZj*r-!-0+-#Ln6*$@M}5PMtO;2TM$9QzMPP< z1B96T#!_Khhf$$rTSN{$knD}|pnxAELKpEME;i8}cNff|5hF)76*NkRecRBkTM=+~ zS|nX`;(>6!69H^^@&ReykRm)qEDui%5=rx&Lr#gs#|_&v3K^AGG!gjjG}KKmEeQ9? z+oOGqD2D7YAjT}|3Htv4jK$MOg8x$HCDx1f#{YHYRvdaNIjal1|xA zInb|+a|M-A!1Kz3pNTRznqI+MxdtoN8|cPdVvQ*XX0{w@By6JCh?=WZtJ#oJ&GKrp z$_j&)3Z)6W>Ajo^5j?#(9}SbC!YD0Nw-Ye31G&DI`kQ`pK9q(6ziaMwiEOn{p;a5o zMH<{h8)ld9x5}Y*sK=|uR)AS~(`9W~Bg#16YR0nB#h^qL6N!Cz(leU7s9NS)k#3A% zq!RmOF}9aR3kVyEbtTqZcM{oDYqBlXS5mpAOg3s4<~9z6#a!8px-BEC8kVphF>N`u zE)SB+o@MNRc!^oh};j`IZlfd8Ilvn|W%vOt&`Ds@JfxBeq6HY@;)`C#4hbJ>m zVkWa)wbPOtb-g|=74pS7_DCPN-SWTFw){VQ)$)Jl;%yY`gYX%EO1eRp`FPusCl;{3 zA+ia6lVU;N<)+rQ#2U?_I#Vaz)L?4TyYONJl{~NMGfN(;y>xn%P4|*Jz7|=M@@^fX zlJTsrcQ|=C2#X2AN5pC(;7{+Si+PmEHk4FO&2-X6b!3t?zf0)dWqZGbH$cp&Jen<9 zi%nN)RE8-btd-jvtx}xH+_alW&SzS>SfiTJtp>eIA_+AtQOnHMk=3lQ(gr%AsvWIe z?UrPYPjI7RmTU3rTogQSHQp39V{0A}>?dlN5t*(G%WGu}?~*7cJZrnrC44S&-;Dt8 zCA>Go!5agwFScY`BImu1??G(I*5+6OY~tq@crJU`*pjX7oQ^ki>`iEsF+mIx5!N^1sjKn zqnGo`ezwbp=A}9l2bpK;OrEO+{P??{#jE>PxVnq2E4$eIyv*SE4Bia5lrn7F63%G_ zL;F&NjcQ-k@yU5brNd`oqiwzbf;CHtkxbDmw z;Z|A9SWFg6`8nR7r;}o@M(Ym41dRwOTibU&jjz-H5ru()r|Kqmhf6rCR|JjT8 zP@edl&!=ZIw9X449NmpmbT^!&yXzR;ormdee@}OHi|%S`x?7$@4!fl(-OY^YE;pb% zag$1MDac6<%NXn6xtzGv?iQs9oT>b>KKg;UaMA*@H0b3-wuw+UT^t zXt+4ep+Ia8=EKF|Vz`Ng%d$i+_6u!JmG&mBZ?v;GiZoBH#xZKuk5DT;M6I+PwW@Ea zRe3|D$}qx$-z8lvEg=0l-OW!BhmB$Oa3#SM`b(-r4{1FD?*g6TVAk0>vr3e$L|(GA zc+Sd)MO!o~zb%xC+l5|+_kImi}g0zicM3= z@aVYBVhw?IIXln8ar(F&mbfitG&ZzRn4Cj_HDu8Ur6R?`h9eRk8oQ#dTU!W>kW`LY zCKfrG>QGP@9oumeg6pMVV}O^rD5JfljmrEyj!Bi)M12{bv68WxBZ8vQ1>WK#BzW!|22AbT0`KZA=YV0Kq>V-R zIDOn^c{$>yk82mhwUiHt02|s{=qDWvTK*Ye4jA_E9CnGp-L4IG<}resOMyzv=I+?z6vIsj zoEj3Bpgq_aB1t#h<29DXa9A{MD+y}eg!W073ZmOzKP(0$Cces32Lu;&@v;vC*=*KAq8^fy2(lXYD$OR9lX}kN|c)gcOjp5p>{Q{K2Nq>zPBDsfa6Um~% zy9f{kXoKH_KwI5|&Dcb-&7$oN@g@gB9!B(8mE?HR5#X8q z#x{{$Ez-vrju0RcK(T>f$0Cf_1`G)FOYJq_Ski_JqlLlc!f{c9zvOV3@``^)cPq@pPeB-9%S4sVuhBO0>W! z&Gab)SIZL1lUf(@55jQuyj{~HP`)9=Hrdm1b`ej;SMan|-H5ZElYSD??_ga55A*E{ zU1}(p0%(I4j+Vw2=zp*eqTmcA?`=uZn^bDE0GT9Hh7n824S49QFiD+WB_wKX<@0Q* zZ|a$zSb}F{tN{;^KBA+Gd3X|mzQ0&!QmOJTRm^XbOUghoB# zJdH`2NpwMtqV4!FlGyblg>f(3*3E_3-3SVkzdgThqy%CV_Oh#jZv!JHvK_y;jF`+i zcmU!Thlq)N!>N}K=egV*5wTxeT0=M>>g}9pV=X;S+|%l89DpsBKAt{p9gJ#2%nbod^jj5IJ@k0fFw+ zUM$k%r?m+SGx3OFo{eW5M>8O&W;Xudd0rBs%_Kxp2ub!C_(I|9`rhB2JI?nmp9Uj! zOSJS8c7(HfJ;M1}JM#L(mB{OdK-Y&4a%%Z}cPf7YEuZg~u3Ek?{I>fZ#_xdP4EW)@ zg=j>70@VB@{1Y@3?^Bo$`3=XXy-#6!pThJ$g*kStE_5kq9PNO(_bJTR^D)iu!KX02 z>GKya>v+@Wu|0az=e_Ck-t_tZ52nu_I!|xqG2k)aG2k)aG2k)aG2k)aG2k)aG2k)a zG2k)aG2k)aG2k)qePG}sZs1MwJ!aRNOded_cAAj|x=N|W2 z58A%|n(Bk@xH#`k&%L1H+J-kh7bx+j=Q{P`#_74QV?ryuvh7W*J(_6jvSCkdxn+9s zRr}^mti>A1coS=Z1#e=lW1Yg@#9AOC@~{(Yy(zKRrsZCn2kCbRz8+b6UBf<2iv ze|<9R=j>1aK6d5Pzdw1quD@aH60hs}!tcsY+`s>wkHYQtg0orw9Biovx%PQu{g|^R?W3>0;Ilt>{48j2Cj(#8a`(kAp_Xqyc2>(%_aCi%!sk<}BK*fW zMD*uxMfBpov30%UMAyqUqIUtJl!J%@EwzJOV=n81d?nxZYcHNK_oaJZ`@+jIFcWh6&vrYyHvP?RJX-zn$sW!3zKH?-ur6`~$@LzrS^Y^ Date: Wed, 8 Feb 2023 17:02:29 +0530 Subject: [PATCH 4/7] tests: add test for smtp LF post line limit --- tests/smtp-long-command/README.md | 12 ++++++++++++ tests/smtp-long-command/input.pcap | Bin 0 -> 7770 bytes tests/smtp-long-command/test.yaml | 22 ++++++++++++++++++++++ 3 files changed, 34 insertions(+) create mode 100644 tests/smtp-long-command/README.md create mode 100644 tests/smtp-long-command/input.pcap create mode 100644 tests/smtp-long-command/test.yaml diff --git a/tests/smtp-long-command/README.md b/tests/smtp-long-command/README.md new file mode 100644 index 000000000..2bf3a8082 --- /dev/null +++ b/tests/smtp-long-command/README.md @@ -0,0 +1,12 @@ +Description +=========== +This test demonstrates that an SMTP line with LF occuring post the hard set line +limit should also raise an anomaly event for TRUNCATED_LINE. + +Redmine ticket +============== +https://redmine.openinfosecfoundation.org/issues/5819 + +PCAP +==== +Locally generated diff --git a/tests/smtp-long-command/input.pcap b/tests/smtp-long-command/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..5b35500d503bb8e0a57e480c71f47127b85880bf GIT binary patch literal 7770 zcmeI1e@t6d6vuBVbmX~CP-h?nTho~7+z)IE`w@&S@Jb&mvHV ztS*@be~fHp;xcuV4r(MBsfIwF~G$^=C@GS;2Kf~-_at6x0IgS*m|V&M&a6g z!WNK9;cXXjnU1!9l}y+IbAOdwnu&jc;8?& zuIdAF-3e2MEHXttkO`?I#6|3;!P`hhIw`(3Z(DjY2K1TZ5B&F5`9Vs42+8qC+ZRX& zvI)t%fLsM5p{aa!3hz*#_bPmz0eXM5z_2uY6?`r_S%?u7_ zgW;B$z`Jw;do(7Hl22g5gG0uExZg=gGb5T(5~fCY4~cy(n#3Z*(%4N&l5d8Q$a;MZ z)`lvd+pGW3HPGWgUj}+A&@-W)3H3~2Lm88eL9``FS?#&FAkTs9w6F+oV&{SO(m!*t$S*8?S zmK1hb#tMwLo|%xkEc-r5Oig$UhCGHF`tUqA6u)>6^rtBO`@7M%Co=TU5EDR`><| zh__mrJGbZ;N5&MP~A|& zrXSy0#qsrAJuCikO+b9!TI~(`cTh)Afv2-HRaPtF6b{ql3&ojHa@MxAp#zRDZr(Y6 z`If{Z;qhZY96V&q>%9xfm#?Z|o=e z8{5#q4J9u?3@lzhCcUxVWMb;_q(tQ5{iCU3z+S_Xgag5?DuT^R|h4-l%FDTTw1o|G3={tS@gYn3z(vv`Z zdH%kP4jRM(O5CYQEX-OL)0>NtI0nR2uOUNJ#hKHx4bM>Dm{I6(0F+&b78)1%5lM%+ hk_1qZ_;nUh!^aP(kIyT7T!2}>DW7%Ou6Sgw literal 0 HcmV?d00001 diff --git a/tests/smtp-long-command/test.yaml b/tests/smtp-long-command/test.yaml new file mode 100644 index 000000000..347b999c9 --- /dev/null +++ b/tests/smtp-long-command/test.yaml @@ -0,0 +1,22 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 83.215.238.27 + dest_port: 25 + event_type: smtp + pcap_cnt: 73 + pkt_src: wire/pcap + proto: TCP + smtp.helo: OBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAH + src_ip: 192.168.164.35 + src_port: 59096 + tx_id: 0 + count: 1 + match: + event_type: anomaly + anomaly.app_proto: smtp + anomaly.event: TRUNCATED_LINE From 96d4ae08a5282836adcb836d6f1ad19c7877f6b4 Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Thu, 28 Sep 2023 18:25:42 +0530 Subject: [PATCH 5/7] workflows: add debug info [DISCARD] --- .github/workflows/builds.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index 4b4f076a0..360c8b0be 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -83,7 +83,7 @@ jobs: make -j2 - name: Running suricata-verify working-directory: suricata - run: python3 ../run.py --quiet --outdir /tmp/sv-output + run: python3 ../run.py --debug-failed --quiet --outdir /tmp/sv-output almalinux: name: AlmaLinux 8 @@ -150,4 +150,4 @@ jobs: make -j2 - name: Running suricata-verify working-directory: suricata - run: python3 ../run.py --quiet + run: python3 ../run.py --quiet --debug-failed From 6f9fd6fbd51d67743d7dd6448ac36d330ea2c591 Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Tue, 3 Oct 2023 13:41:31 +0530 Subject: [PATCH 6/7] nss test --- tests/smtp-bug-5981/test.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/smtp-bug-5981/test.yaml b/tests/smtp-bug-5981/test.yaml index 89f12151b..ea6f53c34 100644 --- a/tests/smtp-bug-5981/test.yaml +++ b/tests/smtp-bug-5981/test.yaml @@ -1,3 +1,7 @@ +requires: + features: + - HAVE_NSS + min-version: 7 args: From cd0e271a42199217bb626d372c836e76913637c8 Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Tue, 3 Oct 2023 17:56:10 +0530 Subject: [PATCH 7/7] fix test setting --- tests/smtp-bug-5981/test.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/smtp-bug-5981/test.yaml b/tests/smtp-bug-5981/test.yaml index ea6f53c34..007fd5663 100644 --- a/tests/smtp-bug-5981/test.yaml +++ b/tests/smtp-bug-5981/test.yaml @@ -1,8 +1,7 @@ requires: features: - HAVE_NSS - -min-version: 7 + min-version: 7 args: - -k none