Project

General

Profile

Actions

Support #1818

closed

smtp - extraction multiple attachments

Added by valentin giraud over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

Hi,

I am trying to reconstitute all files attached to an email. It works if I put one file per mail. But if I put more than one, it does not reconstitute well, or not at all.
I use this simple rule :

alert smtp any any -> any any (msg:"FILE store all"; filestore; sid:300; rev:1;)

In the configuration file (suricata.yaml) , here is the app-layer part:

smtp:
      enabled: yes
      mime:
        decode-mime: yes
        decode-base64: yes
        decode-quoted-printable: yes
        header-value-depth: 2000
        extract-urls: yes
      inspected-tracker:
        content-limit: 1000
        content-inspect-min-size: 1000
        content-inspect-window: 1000

I tried to modify these values and it was not very efficient.

I attach one pcap of a mail with 2 attachments. It does not reconstitute at all for this one...

Any idea ? Is it a misconfiguration from me or suricata do not handle the multi-attachments?

WorldCitizen.


Files

smtpExtJarWav.pcap (6.33 KB) smtpExtJarWav.pcap pcap - mail with attachment "jar and wav extention" valentin giraud, 06/21/2016 07:56 AM
Actions

Also available in: Atom PDF