Project

General

Profile

Actions

Feature #3261

open

SMTP quoted-printable Decoding of Message Body

Added by Brandon Murphy over 4 years ago. Updated about 4 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:
Protocol

Description

In attempting to write signatures for a quoted-printable decoded message body (not an attachment) I find that signatures do not fire as expected.

FWIW, I've observed the same issue for base64 encoding of the message body as well. https://redmine.openinfosecfoundation.org/issues/3260 has been opened to address that.

I have attached a zip that contains pcap, IDS output, rules, etc.

The pcap has two different tcp sessions, one which includes only a quoted-printable message body (tcp.port 44240), and another that includes the same quoted-printable data as an attachment (tcp.port 44242). This was done to validate that quote-printable decoding of SMTP attachments worked and could be triggered via the file_data keyword as expected.

The pcap was captured while using python scripts to read an EML and send it to a python "SMTP Sink". I then used tcprewrite to rewrite the src/dst ips from 127.0.0.1 to something more representative of the traffic I'm attempting to signature.

Please let me know if anything else is required.


Files


Related issues 3 (3 open0 closed)

Related to Suricata - Feature #3260: SMTP Base64 Decoding of Message BodyNewOISF DevActions
Related to Suricata - Task #4097: Suricon 2020 brainstormAssignedVictor JulienActions
Related to Suricata - Task #6443: Suricon 2023 brainstormAssignedVictor JulienActions
Actions

Also available in: Atom PDF