Feature #3260


SMTP Base64 Decoding of Message Body

Added by Brandon Murphy almost 4 years ago. Updated over 3 years ago.

Target version:


In attempting to write signatures for the Base64 decoded message body (not an attachment) I find that signatures do not fire as expected.

FWIW, I've observed the same issue for quoted-printable encoding of the message body as well. But intend on opening another issue for that.

I have attached a zip that contains pcap, IDS output, rules, etc.

The pcap has two different tcp sessions, one which includes only a base64 message body (tcp.port 4204), and another that includes the same base64 as an attachment (tcp.port 44228). This was done to validate that base64 decoding of SMTP attachments worked and could be triggered via the file_data keyword as per

The pcap is capturing while using python scripts to read an EML and send it to a python "SMTP Sink". I then used tcprewrite to rewrite the src/dst ips from to something more representative of the traffic I'm attempting to signature.

Please let me know if anything else is required.

Files (32.6 KB) Brandon Murphy, 10/17/2019 06:42 PM

Related issues 2 (2 open0 closed)

Related to Suricata - Feature #3261: SMTP quoted-printable Decoding of Message BodyNewOISF DevActions
Related to Suricata - Task #4097: Suricon 2020 brainstormAssignedVictor JulienActions
Actions #1

Updated by Andreas Herz almost 4 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #2

Updated by Victor Julien almost 4 years ago

  • Tracker changed from Bug to Feature

I think this would require new keywords.

When looking at the example rules:

alert smtp any any -> any any (msg:"base64 message body test 1"; content:"|22|Elephants|22|"; sid:1; rev:1; classtype:trojan-activity;)
alert smtp any any -> any any (msg:"base64 message body test 2 includes file_data"; file_data; content:"|22|Elephants|22|"; sid:2; rev:1; classtype:trojan-activity;)

Sid:1 inspects the raw stream. There is no overloading of this to actually replace with some other buffer, by design.
Sid:2 inspects file_data. This does not include the message, just attachements.

So I think we'd need something like a 'smtp.body' sticky buffer for this, that would indeed base64 decode as needed.

Actions #3

Updated by Victor Julien almost 4 years ago

  • Related to Feature #3261: SMTP quoted-printable Decoding of Message Body added
Actions #4

Updated by Victor Julien over 3 years ago

  • Label Protocol added
Actions #5

Updated by Jeff Lucovsky almost 3 years ago

  • Related to Task #4097: Suricon 2020 brainstorm added

Also available in: Atom PDF