detect: add checks for count keyword

catenacyber · catenacyber · commit 23dcf3799332 · 2025-09-25T10:51:58.000+02:00
Ticket: 5044
diff --git a/tests/detect-email-received/test.rules b/tests/detect-email-received/test.rules
@@ -1,3 +1,15 @@
 alert smtp any any -> any any (msg:"Test mime email received"; email.received; content:"from client.local (client.local [10.0.0.1]) by smtp.relay1.com with ESMTP id relay1abc\; Thu, 10 Apr 2025 12:00:00 -0000"; startswith; endswith; bsize:119; sid:1;)
 alert smtp any any -> any any (msg:"Test mime email received"; email.received; content:"from smtp.relay1.com (smtp.relay1.com [10.0.0.10]) by smtp.relay2.com with ESMTP id relay2xyz\; Thu, 10 Apr 2025 12:01:00 -0000"; startswith; endswith; bsize:126; sid:2;)
 alert smtp any any -> any any (msg:"Test mime email received"; email.received; content:"from smtp.relay2.com (smtp.relay2.com [10.0.0.20]) by smtp.destination.com with ESMTP id final123\; Thu, 10 Apr 2025 12:02:00 -0000"; startswith; endswith; bsize:130; sid:3;)
+
+#TODO put in new test with min-version
+# Match
+alert smtp any any -> any any (msg:"Test mime email received count 3"; email.received: count 3; sid:10;)
+alert smtp any any -> any any (msg:"Test mime email received count !2"; email.received: count !2; sid:11;)
+# No match
+alert smtp any any -> any any (msg:"Test mime email received count 0"; email.received: count 0; sid:20;)
+alert smtp any any -> any any (msg:"Test mime email received count <3"; email.received: count <3; sid:21;)
+
+alert smtp any any -> any any (msg:"Test mime email received"; email.received: all; content:"from"; sid: 30;)
+alert smtp any any -> any any (msg:"Test mime email received"; email.received: all1; content:"from"; sid: 31;)
+alert smtp any any -> any any (msg:"Test mime email received"; email.received: nb 2; content:"relay1"; sid: 32;)
diff --git a/tests/detect-email-received/test.yaml b/tests/detect-email-received/test.yaml
@@ -27,3 +27,46 @@ checks:
       email.received[0]: "from client.local (client.local [10.0.0.1]) by smtp.relay1.com with ESMTP id relay1abc; Thu, 10 Apr 2025 12:00:00 -0000"
       email.received[1]: "from smtp.relay1.com (smtp.relay1.com [10.0.0.10]) by smtp.relay2.com with ESMTP id relay2xyz; Thu, 10 Apr 2025 12:01:00 -0000"
       email.received[2]: "from smtp.relay2.com (smtp.relay2.com [10.0.0.20]) by smtp.destination.com with ESMTP id final123; Thu, 10 Apr 2025 12:02:00 -0000"
+- filter:
+    count: 1
+    match:
+      event_type: smtp
+      email.received.__len: 3
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 10
+      # we do not have a way to log email.received in alerts
+      # see https://redmine.openinfosecfoundation.org/issues/7696
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 11
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 20
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 21
+
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 30
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 31
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 32
