Project

General

Profile

Actions

Feature #5737

open

smtp body extract

Added by eason pan about 2 months ago. Updated 5 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
Target version:
Effort:
medium
Difficulty:
medium
Label:

Description

Description: extract message body from smtp data.currently this feature is missed.
1. add a config item to enable it or not in suricata.yaml
2. output message body to eve.json

```
smtp:
enabled: no
raw-extraction: no # Configure SMTP-MIME Decoder
mime: # Decode MIME messages from SMTP transactions # (may be resource intensive) # This field supersedes all others because it turns the entire # process on or off
decode-mime: no

  1. Decode MIME entity bodies (ie. Base64, quoted-printable, etc.)
    decode-base64: no
    decode-quoted-printable: no
  1. Maximum bytes per header data value stored in the data structure
  2. (default is 2000)
    header-value-depth: 2000
  1. Extract URLs and save in state data structure
    extract-urls: no
  2. Scheme of URLs to extract
  3. (default is [http])
    #extract-urls-schemes: [http, https, ftp, mailto]
  4. Log the scheme of URLs that are extracted
  5. (default is no)
    #log-url-scheme: yes
  6. Set to yes to compute the md5 of the mail body. You will then
  7. be able to journalize it.
    body: yes ----> to enable or disbale it
    body-md5: yes
    ```

Files

phishing-emails.pcap (12.8 MB) phishing-emails.pcap eason pan, 12/06/2022 05:46 AM
clipboard-202212061426-fp05u.png (16.7 KB) clipboard-202212061426-fp05u.png eason pan, 12/06/2022 06:26 AM
Actions #1

Updated by Victor Julien about 2 months ago

  • Status changed from New to Feedback

I'm a bit confused about what this ticket is about. Can you explain a bit more?

Updated by eason pan about 2 months ago

Victor Julien wrote in #note-1:

I'm a bit confused about what this ticket is about. Can you explain a bit more?

hi Victor
i uploaded a file , what is a phishing-email pcap, in this pcap ,the message body is :

my purpose is to extract this message body, looks this feature is missed.

thanks for your attention

another point , i want to apply the developer role, how and where to apply it?

thanks

Actions #3

Updated by eason pan about 2 months ago

  • Status changed from Feedback to Assigned
  • Target version changed from TBD to 7.0.0-rc1

eason pan wrote in #note-2:

Victor Julien wrote in #note-1:

I'm a bit confused about what this ticket is about. Can you explain a bit more?

hi Victor
i uploaded a file , what is a phishing-email pcap, in this pcap ,the message body is :

my purpose is to extract this message body, looks this feature is missed.

thanks for your attention

another point , i want to apply the developer role, how and where to apply it?

thanks

Actions #4

Updated by eason pan about 1 month ago

  • Status changed from Assigned to In Progress
Actions #5

Updated by Victor Julien 5 days ago

  • Target version changed from 7.0.0-rc1 to 8.0beta1
Actions

Also available in: Atom PDF