Project

General

Profile

Actions

Feature #5737

open

smtp body extract

Added by eason pan about 2 years ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Target version:
Effort:
medium
Difficulty:
medium
Label:

Description

Description: extract message body from smtp data.currently this feature is missed.
1. add a config item to enable it or not in suricata.yaml
2. output message body to eve.json

```
smtp:
enabled: no
raw-extraction: no # Configure SMTP-MIME Decoder
mime: # Decode MIME messages from SMTP transactions # (may be resource intensive) # This field supersedes all others because it turns the entire # process on or off
decode-mime: no

  1. Decode MIME entity bodies (ie. Base64, quoted-printable, etc.)
    decode-base64: no
    decode-quoted-printable: no
  1. Maximum bytes per header data value stored in the data structure
  2. (default is 2000)
    header-value-depth: 2000
  1. Extract URLs and save in state data structure
    extract-urls: no
  2. Scheme of URLs to extract
  3. (default is [http])
    #extract-urls-schemes: [http, https, ftp, mailto]
  4. Log the scheme of URLs that are extracted
  5. (default is no)
    #log-url-scheme: yes
  6. Set to yes to compute the md5 of the mail body. You will then
  7. be able to journalize it.
    body: yes ----> to enable or disbale it
    body-md5: yes
    ```

Files

phishing-emails.pcap (12.8 MB) phishing-emails.pcap eason pan, 12/06/2022 05:46 AM
clipboard-202212061426-fp05u.png (16.7 KB) clipboard-202212061426-fp05u.png eason pan, 12/06/2022 06:26 AM

Related issues 2 (1 open1 closed)

Related to Suricata - Feature #4905: smtp: add stream app-layer frame support ClosedVictor JulienActions
Related to Suricata - Task #6474: detect: smtp body inspection keywordNewOISF DevActions
Actions #1

Updated by Victor Julien about 2 years ago

  • Status changed from New to Feedback

I'm a bit confused about what this ticket is about. Can you explain a bit more?

Updated by eason pan about 2 years ago

Victor Julien wrote in #note-1:

I'm a bit confused about what this ticket is about. Can you explain a bit more?

hi Victor
i uploaded a file , what is a phishing-email pcap, in this pcap ,the message body is :

my purpose is to extract this message body, looks this feature is missed.

thanks for your attention

another point , i want to apply the developer role, how and where to apply it?

thanks

Actions #3

Updated by eason pan about 2 years ago

  • Status changed from Feedback to Assigned
  • Target version changed from TBD to 7.0.0-rc1

eason pan wrote in #note-2:

Victor Julien wrote in #note-1:

I'm a bit confused about what this ticket is about. Can you explain a bit more?

hi Victor
i uploaded a file , what is a phishing-email pcap, in this pcap ,the message body is :

my purpose is to extract this message body, looks this feature is missed.

thanks for your attention

another point , i want to apply the developer role, how and where to apply it?

thanks

Actions #4

Updated by eason pan about 2 years ago

  • Status changed from Assigned to In Progress
Actions #5

Updated by Victor Julien almost 2 years ago

  • Target version changed from 7.0.0-rc1 to 8.0.0-beta1
Actions #6

Updated by Philippe Antoine 7 months ago

  • Related to Feature #4905: smtp: add stream app-layer frame support added
Actions #7

Updated by Victor Julien 7 months ago

  • Status changed from In Progress to New
  • Assignee changed from eason pan to Community Ticket
  • Target version deleted (8.0.0-beta1)
Actions #8

Updated by Philippe Antoine 6 months ago

  • Target version set to TBD
Actions #9

Updated by Philippe Antoine 6 months ago

  • Related to Task #6474: detect: smtp body inspection keyword added
Actions

Also available in: Atom PDF