https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022022-03-08T16:13:38ZOpen Information Security FoundationSuricata - Bug #5185: MIME URL extraction missing.https://redmine.openinfosecfoundation.org/issues/5185?journal_id=227062022-03-08T16:13:38ZEric Leblonderic@regit.org
<ul><li><strong>Assignee</strong> deleted (<del><i>Eric Leblond</i></del>)</li></ul> Suricata - Bug #5185: MIME URL extraction missing.https://redmine.openinfosecfoundation.org/issues/5185?journal_id=227082022-03-09T01:23:59Zchen dy
<ul></ul><p>chen dy wrote:</p>
<blockquote>
<p>MIME URL extraction missing when the body like this.<br />From: testa <<a class="email" href="mailto:testa@lalala.com">testa@lalala.com</a>><br />To: testb <<a class="email" href="mailto:testb@lalala.com">testb@lalala.com</a>><br />Message-ID: <<a class="email" href="mailto:63f2666aa88643e7a165c7a507422e84@lalala.com">63f2666aa88643e7a165c7a507422e84@lalala.com</a>><br />Subject: nnnnn<br />Content-Type: text/html; <br />charset="utf-8" <br />Content-Transfer-Encoding: base64</p>
<p>IDxkaXY+IDxkaXY+IDxkaXY+IDxkaXY+PGRpdj5odHRwOi8vY29kYXNob3AtZnJlZTAxLmR1Y2tk<br />bnMub3JnLzwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXYgaWQ9InNpZ24iPjxkaXYgY2xhc3M9Im0t<br />YWNjb3VudCI+NTU1NTU1NTU1NTU1NTU1PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PC9k<br />aXY+</p>
<p>.</p>
</blockquote>
<p>The result of Base64 decoding is " <div> <div> <div> <div><div><a class="external" href="http://codashop-free01.duckdns.org/&lt;/div&gt;&lt;div&gt;&lt;br&gt;&lt;/div&gt;&lt;div">http://codashop-free01.duckdns.org/&lt;/div&gt;&lt;div&gt;&lt;br&gt;&lt;/div&gt;&lt;div</a> id="sign"><div class="m-account">555555555555555</div></div></div></div></div></div>", which doesn't end with CR/LF.<br />I found there are following comment in src/util-decode-mime.c ProcessDecodedDataChunk function:<br />“If last token found without CR/LF delimiter, then save and reconstruct with next chunk”. <br />So in this case, is there a problem with the mail body or the code?</p> Suricata - Bug #5185: MIME URL extraction missing.https://redmine.openinfosecfoundation.org/issues/5185?journal_id=227092022-03-09T03:21:09Zchen dy
<ul><li><strong>Assignee</strong> set to <i>Victor Julien</i></li></ul> Suricata - Bug #5185: MIME URL extraction missing.https://redmine.openinfosecfoundation.org/issues/5185?journal_id=227102022-03-09T08:50:47ZVictor Julienvictor@inliniac.net
<ul><li><strong>Assignee</strong> deleted (<del><i>Victor Julien</i></del>)</li></ul><p>Please leave setting the assignee to the team, thank you.</p> Suricata - Bug #5185: MIME URL extraction missing.https://redmine.openinfosecfoundation.org/issues/5185?journal_id=289402023-06-30T13:33:26ZPhilippe Antoine
<ul><li><strong>Assignee</strong> set to <i>OISF Dev</i></li></ul> Suricata - Bug #5185: MIME URL extraction missing.https://redmine.openinfosecfoundation.org/issues/5185?journal_id=308212023-11-09T15:33:36ZPhilippe Antoine
<ul></ul><p>Could you share as a pcap or even better, a suricata-verify test ?</p>