Feature #3261
openSMTP quoted-printable Decoding of Message Body
Description
In attempting to write signatures for a quoted-printable decoded message body (not an attachment) I find that signatures do not fire as expected.
FWIW, I've observed the same issue for base64 encoding of the message body as well. https://redmine.openinfosecfoundation.org/issues/3260 has been opened to address that.
I have attached a zip that contains pcap, IDS output, rules, etc.
The pcap has two different tcp sessions, one which includes only a quoted-printable message body (tcp.port 44240), and another that includes the same quoted-printable data as an attachment (tcp.port 44242). This was done to validate that quote-printable decoding of SMTP attachments worked and could be triggered via the file_data keyword as expected.
The pcap was captured while using python scripts to read an EML and send it to a python "SMTP Sink". I then used tcprewrite to rewrite the src/dst ips from 127.0.0.1 to something more representative of the traffic I'm attempting to signature.
Please let me know if anything else is required.
Files
Updated by Andreas Herz about 5 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Victor Julien about 5 years ago
- Related to Feature #3260: SMTP Base64 Decoding of Message Body added
Updated by Jeff Lucovsky about 4 years ago
- Related to Task #4097: Suricon 2020 brainstorm added
Updated by Philippe Antoine about 1 year ago
- Related to Task #6443: Suricon 2023 brainstorm added