Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Smtp tests lf conditions/v2 #1397

Closed
wants to merge 7 commits into from
Closed

Smtp tests lf conditions/v2 #1397

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
6917690
smtp: add test for bug 6053
inashivb May 30, 2023
90e416e
smtp: add test for long DATA post boundary
inashivb May 5, 2023
266a2a2
smtp: add test for cmd after long line w LF
inashivb May 6, 2023
76d13d2
tests: add test for smtp LF post line limit
inashivb Feb 8, 2023
96d4ae0
workflows: add debug info [DISCARD]
inashivb Sep 28, 2023
6f9fd6f
nss test
inashivb Oct 3, 2023
cd0e271
fix test setting
inashivb Oct 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/builds.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ jobs:
make -j2
- name: Running suricata-verify
working-directory: suricata
run: python3 ../run.py --quiet --outdir /tmp/sv-output
run: python3 ../run.py --debug-failed --quiet --outdir /tmp/sv-output

almalinux:
name: AlmaLinux 8
Expand Down Expand Up @@ -150,4 +150,4 @@ jobs:
make -j2
- name: Running suricata-verify
working-directory: suricata
run: python3 ../run.py --quiet
run: python3 ../run.py --quiet --debug-failed
12 changes: 12 additions & 0 deletions tests/smtp-bug-5981/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Test Description

This test shows how we handle long DATA lines for SMTP.

## PCAP

PCAP comes from ttps://osqa-ask.wireshark.org/questions/33094/extract-an-attachment-email-smtp-cap
and has been modified to have a really long DATA line (6512 Bytes).

## Related issues

https://redmine.openinfosecfoundation.org/issues/5981
Binary file added tests/smtp-bug-5981/input.pcap
View file
Open in desktop
Binary file not shown.
14 changes: 14 additions & 0 deletions tests/smtp-bug-5981/suricata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
%YAML 1.1
---

outputs:
- eve-log:
enabled: yes
types:
- files
- smtp
- anomaly
- file-store:
version: 2
enabled: yes
force-filestore: yes
68 changes: 68 additions & 0 deletions tests/smtp-bug-5981/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
requires:
features:
- HAVE_NSS
min-version: 7

args:
- -k none
- --simulate-ips

checks:
- filter:
count: 0
match:
event_type: anomaly
src_ip: 192.168.1.4
src_port: 3326
dest_ip: 217.12.11.66
dest_port: 587
proto: TCP
pkt_src: wire/pcap
tx_id: 0
anomaly.app_proto: smtp
anomaly.type: applayer
anomaly.event: TRUNCATED_LINE
anomaly.layer: proto_parser

- filter:
count: 1
match:
event_type: fileinfo
fileinfo.filename: winmail.dat
fileinfo.sha256: 5f41c213e35d8421647181cc9b8925a5b2ab34c23102907581214fd574157fff
fileinfo.size: 10451

- filter:
count: 1
match:
event_type: smtp
src_ip: 192.168.1.4
src_port: 3326
dest_ip: 217.12.11.66
dest_port: 587
proto: TCP
pkt_src: wire/pcap
tx_id: 0
smtp.helo: Percival
smtp.mail_from: <[email protected]>
smtp.rcpt_to[0]: <[email protected]>
email.status: PARSE_DONE
email.from: '"Xxxxxx xxxx" <[email protected]>'
email.to[0]: <[email protected]>
email.subject: Testing testing 1 2 3 (Multiple attachments)
email.x_mailer: Microsoft Office Outlook, Build 11.0.5510
email.date: Sat, 14 Jul 2007 10:31:37 +0200
email.subject_md5: 3b37c0a6fd82b99b144a7be7274f03f5

- filter:
count: 1
match:
event_type: smtp
src_ip: 192.168.1.4
src_port: 3326
dest_ip: 217.12.11.66
dest_port: 587
proto: TCP
pkt_src: stream (flow timeout)
tx_id: 1
smtp.helo: Percival
12 changes: 12 additions & 0 deletions tests/smtp-bug-5989/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Test Description

This test shows that currently the command followed by a long line (>4k) is skipped even
if it has LF. This is incorrect.

## PCAP

Locally modified.

## Related issues

https://redmine.openinfosecfoundation.org/issues/5989
Binary file added tests/smtp-bug-5989/input.pcap
View file
Open in desktop
Binary file not shown.
12 changes: 12 additions & 0 deletions tests/smtp-bug-5989/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
min-version: 7

args:
- -k none
- --simulate-ips

checks:
- filter:
count: 1
match:
event_type: smtp
smtp.helo: "Percival"
3 changes: 3 additions & 0 deletions tests/smtp-bug-6053/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
input.pcap: smtp-too-long-command.syn
flowsynth.py -f pcap -w $@ $^

15 changes: 15 additions & 0 deletions tests/smtp-bug-6053/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# Test Description

This test shows that SMTP long lines should be handled per direction.
Currently, we track long lines in one variable per state.
In this test, as EHLO comes after the long line, it is ignored by the
parser and EHLO command is not logged. It has been fixed as a part of
the fix for redmine ticket 6053

## PCAP

Locally generated.

## Related issues

https://redmine.openinfosecfoundation.org/issues/6053
Binary file added tests/smtp-bug-6053/input.pcap
View file
Open in desktop
Binary file not shown.
16 changes: 16 additions & 0 deletions tests/smtp-bug-6053/smtp-too-long-command.syn
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
flow default tcp 1.1.1.1:5555 > 2.2.2.2:25 (tcp.initialize; mss:9000;);
default < (content:"220 smtpblah.mailserver.xxx.com ESMTP AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZ";);
default > (content:"EHLO Simone\x0d\x0a";);
default < (content:"250-smtp001.mail.xxx.xxxxx.com\x0d\x0a";);
default > (content:"AUTH LOGIN\x0d\x0a";);
default < (content:"334 VXNlcm5hbWU6\x0d\x0a";);
default > (content:"Z2FsdW50\x0d\x0a";);
default < (content:"334 UGFzc3dvcmQ6\x0d\x0a";);
default > (content:"VjF2MXRyMG4=\x0d\x0a";);
default < (content:"235 ok, go ahead (#2.0.0)\x0d\x0a";);
default > (content:"MAIL FROM: <[email protected]>\x0d\x0a";);
default < (content:"250 ok\x0d\x0a";);
default > (content:"RCPT TO: <[email protected]>\x0d\x0a";);
default < (content:"250 ok\x0d\x0a";);
default > (content:"QUIT\x0d\x0a";);
default < (content:"221 smtp001.mail.xxx.xxxxx.com\x0d\x0a";);
10 changes: 10 additions & 0 deletions tests/smtp-bug-6053/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
min-version: 7

args:
- -k none

checks:
- filter:
count: 1
match:
smtp.helo: Simone
12 changes: 12 additions & 0 deletions tests/smtp-long-command/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
Description
===========
This test demonstrates that an SMTP line with LF occuring post the hard set line
limit should also raise an anomaly event for TRUNCATED_LINE.

Redmine ticket
==============
https://redmine.openinfosecfoundation.org/issues/5819

PCAP
====
Locally generated
Binary file added tests/smtp-long-command/input.pcap
View file
Open in desktop
Binary file not shown.
22 changes: 22 additions & 0 deletions tests/smtp-long-command/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
args:
- -k none

checks:
- filter:
count: 1
match:
dest_ip: 83.215.238.27
dest_port: 25
event_type: smtp
pcap_cnt: 73
pkt_src: wire/pcap
proto: TCP
smtp.helo: OBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAHOBLAH
src_ip: 192.168.164.35
src_port: 59096
tx_id: 0
count: 1
match:
event_type: anomaly
anomaly.app_proto: smtp
anomaly.event: TRUNCATED_LINE