Support for RFC2231
We noticed a lack of support for multiline header attributes in mime documents as defined in RFC2231 (standard track).
This RFC documents a way to split header attributes across multiple lines, so that the line length remains short.
This wrapping is implemented by some popular MUA, including Thunderbird. Lack of support for this RFC results in Suricata not noticing/storing email attachments with filenames wrapped that way (filename*0=, filename*1=...).
This can also be considered as a evasion technique, although this is a standard track RFC.
We attached a pcap file containing an email attachment ignored by Suricata.