SMTP quoted-printable Decoding of Message Body
In attempting to write signatures for a quoted-printable decoded message body (not an attachment) I find that signatures do not fire as expected.
FWIW, I've observed the same issue for base64 encoding of the message body as well. https://redmine.openinfosecfoundation.org/issues/3260 has been opened to address that.
I have attached a zip that contains pcap, IDS output, rules, etc.
The pcap has two different tcp sessions, one which includes only a quoted-printable message body (tcp.port 44240), and another that includes the same quoted-printable data as an attachment (tcp.port 44242). This was done to validate that quote-printable decoding of SMTP attachments worked and could be triggered via the file_data keyword as expected.
The pcap was captured while using python scripts to read an EML and send it to a python "SMTP Sink". I then used tcprewrite to rewrite the src/dst ips from 127.0.0.1 to something more representative of the traffic I'm attempting to signature.
Please let me know if anything else is required.