zeek/testing/btest/scripts/base/protocols/smtp/mime-extract.test

# @TEST-REQUIRES: grep -q '#define HAVE_LIBMAGIC' $BUILD/config.h
# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT
# @TEST-EXEC: btest-diff smtp_entities.log
# @TEST-EXEC: btest-diff smtp-entity_10.10.1.4:1470-74.53.140.153:25_1.dat
# @TEST-EXEC: btest-diff smtp-entity_10.10.1.4:1470-74.53.140.153:25_2.dat
# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT SMTP::extraction_prefix="test"
# @TEST-EXEC: test -e test_10.10.1.4:1470-74.53.140.153:25_1.dat
# @TEST-EXEC: test -e test_10.10.1.4:1470-74.53.140.153:25_2.dat

@load base/protocols/smtp

redef SMTP::extract_file_types=/text\/plain/;

event bro_init()
	{
	Log::remove_default_filter(SMTP::ENTITIES_LOG);
	Log::add_filter(SMTP::ENTITIES_LOG, [$name="normalized-mime-types",
									  	$pred=function(rec: SMTP::EntityInfo): bool
		{
		if ( rec?$mime_type )
			rec$mime_type = "FAKE_MIME";
		return T;
		}
	]);
	}