Feature #3261
openSMTP quoted-printable Decoding of Message Body
Description
In attempting to write signatures for a quoted-printable decoded message body (not an attachment) I find that signatures do not fire as expected.
FWIW, I've observed the same issue for base64 encoding of the message body as well. https://redmine.openinfosecfoundation.org/issues/3260 has been opened to address that.
I have attached a zip that contains pcap, IDS output, rules, etc.
The pcap has two different tcp sessions, one which includes only a quoted-printable message body (tcp.port 44240), and another that includes the same quoted-printable data as an attachment (tcp.port 44242). This was done to validate that quote-printable decoding of SMTP attachments worked and could be triggered via the file_data keyword as expected.
The pcap was captured while using python scripts to read an EML and send it to a python "SMTP Sink". I then used tcprewrite to rewrite the src/dst ips from 127.0.0.1 to something more representative of the traffic I'm attempting to signature.
Please let me know if anything else is required.
Files
AH Updated by Andreas Herz over 6 years ago
- Assignee set to OISF Dev
- Target version set to TBD
VJ Updated by Victor Julien over 6 years ago
- Related to Feature #3260: SMTP Base64 Decoding of Message Body added
VJ Updated by Victor Julien over 6 years ago
- Tracker changed from Bug to Feature
See #3260#note-2
VJ Updated by Victor Julien about 6 years ago
- Label Protocol added
JL Updated by Jeff Lucovsky over 5 years ago
- Related to Task #4097: Suricon 2020 brainstorm added
PA Updated by Philippe Antoine over 2 years ago
- Related to Task #6443: Suricon 2023 brainstorm added