Project

General

Profile

Actions
Copy link

Bug #5185

closed
CC PA

mime: URL extraction missing

Bug #5185: mime: URL extraction missing

Added by chen chen about 4 years ago. Updated 12 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
8.0.0-beta1
Affected Versions:
6.0.2
Effort:
Difficulty:
Label:
C

Description

MIME URL extraction missing when the body like this.
@From: testa <>
To: testb <>
Message-ID: <>
Subject: nnnnn
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: base64

IDxkaXY+IDxkaXY+IDxkaXY+IDxkaXY+PGRpdj5odHRwOi8vY29kYXNob3AtZnJlZTAxLmR1Y2tk
bnMub3JnLzwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXYgaWQ9InNpZ24iPjxkaXYgY2xhc3M9Im0t
YWNjb3VudCI+NTU1NTU1NTU1NTU1NTU1PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PC9k
aXY+

.@

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #3260: SMTP Base64 Decoding of Message BodyNewOISF DevActions

EL Updated by Eric Leblond about 4 years ago Actions
Copy link
 #1

  • Assignee deleted (Eric Leblond)

CC Updated by chen chen about 4 years ago Actions
Copy link
 #2

chen dy wrote:

MIME URL extraction missing when the body like this.
From: testa <>
To: testb <>
Message-ID: <>
Subject: nnnnn
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: base64

IDxkaXY+IDxkaXY+IDxkaXY+IDxkaXY+PGRpdj5odHRwOi8vY29kYXNob3AtZnJlZTAxLmR1Y2tk
bnMub3JnLzwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXYgaWQ9InNpZ24iPjxkaXYgY2xhc3M9Im0t
YWNjb3VudCI+NTU1NTU1NTU1NTU1NTU1PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PC9k
aXY+

.

The result of Base64 decoding is " <div> <div> <div> <div><div>http://codashop-free01.duckdns.org/&lt;/div&gt;&lt;div&gt;&lt;br&gt;&lt;/div&gt;&lt;div id="sign"><div class="m-account">555555555555555</div></div></div></div></div></div>", which doesn't end with CR/LF.
I found there are following comment in src/util-decode-mime.c ProcessDecodedDataChunk function:
“If last token found without CR/LF delimiter, then save and reconstruct with next chunk”.
So in this case, is there a problem with the mail body or the code?

CC Updated by chen chen about 4 years ago Actions
Copy link
 #3

  • Assignee set to Victor Julien

VJ Updated by Victor Julien about 4 years ago Actions
Copy link
 #4

  • Assignee deleted (Victor Julien)

Please leave setting the assignee to the team, thank you.

PA Updated by Philippe Antoine almost 3 years ago Actions
Copy link
 #5

  • Assignee set to OISF Dev

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
 #6

Could you share as a pcap or even better, a suricata-verify test ?

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #7

  • Assignee changed from OISF Dev to Philippe Antoine
  • Target version changed from TBD to 8.0.0-beta1

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #8

  • Status changed from New to In Review

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #9

  • Status changed from In Review to Closed

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #10

  • Related to Feature #3260: SMTP Base64 Decoding of Message Body added

VJ Updated by Victor Julien 12 months ago Actions
Copy link
 #11

  • Subject changed from MIME URL extraction missing. to mime: URL extraction missing
Actions
Copy link

Also available in: PDF Atom