Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mime: add tests for bug 6207 #1313

Closed
wants to merge 1 commit into from
Closed

mime: add tests for bug 6207 #1313

wants to merge 1 commit into from

Conversation

inashivb
Copy link
Member

Ticket

If your pull request is related to a Suricata ticket, please provide
the full URL to the ticket here so this pull request can monitor
changes to the ticket status:

Redmine ticket: https://redmine.openinfosecfoundation.org/issues/6207

Previous PR: #1312

Changes since v4:

  • Add file.data rule to match on file content for test bug-6207-2

@inashivb inashivb mentioned this pull request Jul 13, 2023
Closed
catenacyber
catenacyber approved these changes Jul 13, 2023
View reviewed changes
Copy link
Collaborator

@catenacyber catenacyber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good :-)

catenacyber
catenacyber reviewed Jul 13, 2023
View reviewed changes
tests/bug-6207-2/README.md
=Mg
==
```
should ideally get decoded to `42` as demonstrated in this test.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as NA==Mg== gets decoded into 42 as well (whatever the line feeds)

catenacyber
catenacyber reviewed Jul 13, 2023
View reviewed changes
tests/bug-6207-2/invalid-base64-mime.syn
default < (content:"250 2.1.5 Ok\x0d\x0a";);
default > (content:"DATA\x0d\x0a";);
default < (content:"354 End data with <CR><LF>.<CR><LF>\x0d\x0a";);
default > (content:"Subject: SMTPbelka-test_sans_name2021-03-08-17:28:53-221a0d8d17b3b41e28ec113dcabb55da7bdb03a8c0bb5d3de252f5d69347aa4d.zip\x0d\x0a";);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could change the dummy subject

catenacyber
catenacyber reviewed Jul 13, 2023
View reviewed changes
tests/bug-6207-2/invalid-base64-mime.syn
default > (content:"\x0d\x0a";);
default > (content:"\x0d\x0a";);
default > (content:"--KkK170891tpbkKk__FV_KKKkkkjjwq\x0d\x0a";);
default > (content:"Content-Type: application/zip;\x0d\x0a";);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is no longer a zip ;-)

catenacyber
catenacyber reviewed Jul 13, 2023
View reviewed changes
tests/bug-6207-2/suricata.rules
@@ -0,0 +1 @@
alert tcp any any -> any any (msg: "Test file content"; file.data; content:"42"; sid:1;)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add filesize: 2 keyword to ensure the file is exactly 42 ant not having 42 as a substring ?

@catenacyber catenacyber added the requires suricata pr Depends on a PR in Suricata label Jul 13, 2023
@victorjulien victorjulien mentioned this pull request Jul 13, 2023
Merged
@victorjulien
Copy link
Member

Merged in #1315, thanks!

@inashivb inashivb deleted the bug-6207/v5 branch July 14, 2023 05:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@catenacyber catenacyber catenacyber approved these changes

Assignees

@catenacyber catenacyber

Labels
requires suricata pr Depends on a PR in Suricata
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@inashivb @victorjulien @catenacyber