Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

btest: Add tests for full email extraction

Browse source
This commit is contained in:
cccs-jsjm 2025-07-14 21:38:47 +02:00 committed by Arne Welzel
parent 4c60dfd6c5
commit 1b3b3892b5
11 changed files with 147 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

22
testing/btest/Baseline/scripts.base.protocols.smtp.rfc822-msg-file-analysis-binary/extract_files.mail Normal file
View file

@ -0,0 +1,22 @@
Content-Type: multipart/mixed; boundary="===============6117237608014356945=="
MIME-Version: 1.0
From: sender@example.com
To: recipient@example.com
Subject: subject
--===============6117237608014356945==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
this is the body
--===============6117237608014356945==
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: message/rfc822
Content-Disposition: attachment; filename="test.msg"
From: <attachment@example.com>
Subject: écureuil
--===============6117237608014356945==--

4
testing/btest/Baseline/scripts.base.protocols.smtp.rfc822-msg-file-analysis-binary/files.cut Normal file
View file

@ -0,0 +1,4 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
fuid uid mime_type seen_bytes parent_fuid sha1
FCg7geKxxmGkZIjg8 CHhAvVGS1DHFjwGM9 text/plain 16 FtRhTAoOcRvbFX8Gd -
FtRhTAoOcRvbFX8Gd CHhAvVGS1DHFjwGM9 message/rfc822 604 - 6ae7bc45d107228ca00b44d9d93ba7fdcf7255bf

6
testing/btest/Baseline/scripts.base.protocols.smtp.rfc822-msg-file-analysis-multi-mail/files.cut Normal file
View file

@ -0,0 +1,6 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
fuid uid mime_type seen_bytes parent_fuid sha1
FmBdd33I01LDuH7oUb CHhAvVGS1DHFjwGM9 text/plain 754 FnJaFv4OCDjqLe4uN1 -
FnJaFv4OCDjqLe4uN1 CHhAvVGS1DHFjwGM9 message/rfc822 4404 - ee93d96ae2b5883e8dfe02aca71f799f2b47f1f6
FKgT5hPFZTBbn1lp5 CHhAvVGS1DHFjwGM9 text/x-diff 4069 FkYtTJ1xa6wty5Ldhj -
FkYtTJ1xa6wty5Ldhj CHhAvVGS1DHFjwGM9 message/rfc822 8757 - 43a21580619bc8b129eb50cad9505a8469685149

8
testing/btest/Baseline/scripts.base.protocols.smtp.rfc822-msg-file-analysis-multi-session/files.cut Normal file
View file

@ -0,0 +1,8 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
fuid uid mime_type seen_bytes parent_fuid sha1
F3YoYf2TBYfB6459td CHhAvVGS1DHFjwGM9 text/plain 77 F8cH26hNF5zzM8RRh -
Fsvwh44sJq8mKeeSNf CHhAvVGS1DHFjwGM9 text/html 1868 F8cH26hNF5zzM8RRh -
FYOdN3NHoqhncZZKe CHhAvVGS1DHFjwGM9 text/plain 10809 F8cH26hNF5zzM8RRh -
F8cH26hNF5zzM8RRh CHhAvVGS1DHFjwGM9 message/rfc822 14545 - cfca0a07196a5d62e713d83b73e6290aea90435d
FlvZMD2G66eDZGt16c CUM0KZ3MLUfNB0cl11 text/plain 204 Fc5KpS3kUYqDLwWSMf -
Fc5KpS3kUYqDLwWSMf CUM0KZ3MLUfNB0cl11 message/rfc822 804 - e5409b0c77bae4d71cfddc4023a266d692d48663

22
testing/btest/Baseline/scripts.base.protocols.smtp.rfc822-msg-file-analysis/extract_files.mail Normal file
View file

@ -0,0 +1,22 @@
Content-Type: multipart/mixed; boundary="===============6117237608014356945=="
MIME-Version: 1.0
From: sender@example.com
To: recipient@example.com
Subject: subject
--===============6117237608014356945==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
this is the body
--===============6117237608014356945==
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: message/rfc822
Content-Disposition: attachment; filename="test.msg"
From: <attachment@example.com>
--===============6117237608014356945==--

5
testing/btest/Baseline/scripts.base.protocols.smtp.rfc822-msg-file-analysis/files.cut Normal file
View file

@ -0,0 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
fuid uid mime_type seen_bytes parent_fuid sha1
FmtdjL2OsOZBPttkqk CHhAvVGS1DHFjwGM9 text/plain 16 Fmxhgo3R4TBQaBJPad -
F27fOV1yocRMx48oM4 CHhAvVGS1DHFjwGM9 - 2 Fmxhgo3R4TBQaBJPad -
Fmxhgo3R4TBQaBJPad CHhAvVGS1DHFjwGM9 message/rfc822 586 - f9bc3e476a513159f5c7c5869d47364514605b45

BIN
testing/btest/Traces/smtp/rfc3030-bdat-nonascii.pcap Normal file
View file

Binary file not shown.

22
testing/btest/scripts/base/protocols/smtp/rfc822-msg-file-analysis-binary.test Normal file
View file

@ -0,0 +1,22 @@
# @TEST-DOC: Test case for extracting a mail that has non-ascii text in the mail portion of the file.
#
# @TEST-EXEC: zeek -C -b -r $TRACES/smtp/rfc3030-bdat-nonascii.pcap %INPUT
# @TEST-EXEC: zeek-cut -m fuid uid mime_type seen_bytes parent_fuid sha1 < files.log > files.cut
# @TEST-EXEC: btest-diff files.cut
# @TEST-EXEC: btest-diff --binary extract_files/mail
# @TEST-EXEC: grep -q "[^\x00-\x7f]" extract_files/mail
@load base/files/hash
@load base/files/extract
@load base/protocols/smtp
redef SMTP::enable_rfc822_msg_file_analysis = T;
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
{
if ( f$id == c$smtp$rfc822_msg_fuid )
{
Files::add_analyzer(f, Files::ANALYZER_SHA1);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename="mail"]);
}
}

20
testing/btest/scripts/base/protocols/smtp/rfc822-msg-file-analysis-multi-mail.test Normal file
View file

@ -0,0 +1,20 @@
# @TEST-DOC: Test case for extracting multiple mails from the same SMTP session.
#
# @TEST-EXEC: zeek -C -b -r $TRACES/smtp/smtp-bdat-pipeline-8bitmime.pcap %INPUT
# @TEST-EXEC: zeek-cut -m fuid uid mime_type seen_bytes parent_fuid sha1 < files.log > files.cut
# @TEST-EXEC: btest-diff files.cut
@load base/files/hash
@load base/files/extract
@load base/protocols/smtp
redef SMTP::enable_rfc822_msg_file_analysis = T;
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
{
if ( f$id == c$smtp$rfc822_msg_fuid )
{
Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
Files::add_analyzer(f, Files::ANALYZER_SHA1);
}
}

17
testing/btest/scripts/base/protocols/smtp/rfc822-msg-file-analysis-multi-session.test Normal file
View file

@ -0,0 +1,17 @@
# @TEST-DOC: Test case for analyzing RFC822 messages from multiple SMTP sessions.
#
# @TEST-EXEC: zeek -C -b -r $TRACES/smtp.trace %INPUT
# @TEST-EXEC: zeek-cut -m fuid uid mime_type seen_bytes parent_fuid sha1 < files.log > files.cut
# @TEST-EXEC: btest-diff files.cut
@load base/files/hash
@load base/files/extract
@load base/protocols/smtp
redef SMTP::enable_rfc822_msg_file_analysis = T;
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
{
if ( f$id == c$smtp$rfc822_msg_fuid )
Files::add_analyzer(f, Files::ANALYZER_SHA1);
}

21
testing/btest/scripts/base/protocols/smtp/rfc822-msg-file-analysis.test Normal file
View file

@ -0,0 +1,21 @@
# @TEST-DOC: Test case for extracting a mail that contains attachments.
#
# @TEST-EXEC: zeek -C -b -r $TRACES/smtp-attachment-msg.pcap %INPUT
# @TEST-EXEC: zeek-cut -m fuid uid mime_type seen_bytes parent_fuid sha1 < files.log > files.cut
# @TEST-EXEC: btest-diff files.cut
# @TEST-EXEC: btest-diff --binary extract_files/mail
@load base/files/hash
@load base/files/extract
@load base/protocols/smtp
redef SMTP::enable_rfc822_msg_file_analysis = T;
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
{
if ( f$id == c$smtp$rfc822_msg_fuid )
{
Files::add_analyzer(f, Files::ANALYZER_SHA1);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename="mail"]);
}
}