Support #1818
closedsmtp - extraction multiple attachments
Description
Hi,
I am trying to reconstitute all files attached to an email. It works if I put one file per mail. But if I put more than one, it does not reconstitute well, or not at all.
I use this simple rule :
alert smtp any any -> any any (msg:"FILE store all"; filestore; sid:300; rev:1;)In the configuration file (suricata.yaml) , here is the app-layer part:
smtp:
enabled: yes
mime:
decode-mime: yes
decode-base64: yes
decode-quoted-printable: yes
header-value-depth: 2000
extract-urls: yes
inspected-tracker:
content-limit: 1000
content-inspect-min-size: 1000
content-inspect-window: 1000
I tried to modify these values and it was not very efficient.
I attach one pcap of a mail with 2 attachments. It does not reconstitute at all for this one...
Any idea ? Is it a misconfiguration from me or suricata do not handle the multi-attachments?
WorldCitizen.
Files
Updated by valentin giraud almost 8 years ago
Related closed issue : https://redmine.openinfosecfoundation.org/issues/1773
I will upgrade my version, you can close this ticket.
Updated by Victor Julien almost 8 years ago
What version did you see the issue with?
Updated by Victor Julien almost 8 years ago
- Tracker changed from Bug to Support
- Status changed from New to Closed
- Target version deleted (
3.1.1)
I've tried to see if I can reproduce the issue, but the pcap does not contain a smtp session with attachments.
Closing this ticket. Feel free to reopen with a new pcap if this is still an issue.