Added test-case for intel framework matching email

Addresses #1507
2025-10-09 18:18:19 +00:00 · 2015-12-16 14:51:02 +01:00 · 2015-12-16 14:51:02 +01:00 · 6f891ca2ff
commit 6f891ca2ff
parent f0a28788ad
2 changed files with 35 additions and 0 deletions
--- a/testing/btest/Traces/smtp-multi-addr.pcap
+++ b/testing/btest/Traces/smtp-multi-addr.pcap
--- a/testing/btest/scripts/policy/frameworks/intel/seen/smtp.bro
+++ b/testing/btest/scripts/policy/frameworks/intel/seen/smtp.bro
@ -0,0 +1,35 @@
+# @TEST-EXEC: bro -r $TRACES/smtp-multi-addr.pcap %INPUT
+# @TEST-EXEC: btest-diff intel.log
+
+@TEST-START-FILE intel.dat
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.url
+jan.grashoefer@gmail.com	Intel::EMAIL	source1	test entry	http://some-data-distributor.com/100000
+jan.grashoefer@cern.ch	Intel::EMAIL	source1	test entry	http://some-data-distributor.com/100000
+jan.grashofer@cern.ch	Intel::EMAIL	source1	test entry	http://some-data-distributor.com/100000
+addr-spec@example.com	Intel::EMAIL	source1	test entry	http://some-data-distributor.com/100000
+angle-addr@example.com	Intel::EMAIL	source1	test entry	http://some-data-distributor.com/100000
+name-addr@example.com	Intel::EMAIL	source1	test entry	http://some-data-distributor.com/100000
+@TEST-END-FILE
+
+@load base/frameworks/intel
+@load frameworks/intel/seen
+
+redef Intel::read_files += { "intel.dat" };
+
+event bro_init()
+	{
+	suspend_processing();
+	}
+
+event Input::end_of_data(name: string, source: string)
+	{
+	continue_processing();
+	}
+
+event SMTP::log_smtp(rec: SMTP::Info)
+	{
+	for ( adr in rec$to )
+		{
+		print fmt("Addr: '%s'", adr);
+		}
+	}