Feature #2561
closedAdd possibility for smtp raw extraction
Description
It may be useful to store a whole email, in raw format, as part of an SMTP extracted file.
The proposed feature adds an optional smtp flag, disabled by default, enabling raw-extraction, allowing an e-mail to be dumped in raw format, headers and eventual attachment (base64 encoded) included.
Note that, when this feature is enabled, we won't be able to match on the actual content of the attachment (as we are extracting the email in raw form, the attachment will be base64 encoded).
Of course, this will be disabled by default.
I'm a bit unsure about how to document this feature though (in case it will be accepted). Any suggestion?
Updated by Andreas Herz over 6 years ago
https://github.com/OISF/suricata/pull/3439
Add the PR Link in the future please :) thanks
Updated by Maurizio Abba about 6 years ago
replaced by https://github.com/OISF/suricata/pull/3455
Updated by Victor Julien about 6 years ago
- Related to Task #2685: SuriCon 2018 brainstorm added
Updated by Victor Julien about 6 years ago
One of the requests at Suricon2018 was to have a clear mapping between extracted bodies and extracted files. Think that is part of this ticket or should we add another for that?
Updated by Maurizio Abba about 6 years ago
I think this would be a different thing. Here, we just treat the whole SMTP flow as a unique blob, and store everything in a file. Another possibility would be to perform base64 decoding and file extraction as usual, and create a separate log with the smtp message content. But the two things are separate
Updated by Victor Julien almost 6 years ago
- Status changed from New to Closed
- Target version set to 5.0beta1