Feature #5737
opensmtp body extract
Description
Description: extract message body from smtp data.currently this feature is missed.
1. add a config item to enable it or not in suricata.yaml
2. output message body to eve.json
```
smtp:
enabled: no
raw-extraction: no
# Configure SMTP-MIME Decoder
mime:
# Decode MIME messages from SMTP transactions
# (may be resource intensive)
# This field supersedes all others because it turns the entire
# process on or off
decode-mime: no
- Decode MIME entity bodies (ie. Base64, quoted-printable, etc.)
decode-base64: no
decode-quoted-printable: no
- Maximum bytes per header data value stored in the data structure
- (default is 2000)
header-value-depth: 2000
- Extract URLs and save in state data structure
extract-urls: no - Scheme of URLs to extract
- (default is [http])
#extract-urls-schemes: [http, https, ftp, mailto] - Log the scheme of URLs that are extracted
- (default is no)
#log-url-scheme: yes - Set to yes to compute the md5 of the mail body. You will then
- be able to journalize it.
body: yes ----> to enable or disbale it
body-md5: yes
```
Files
Updated by Victor Julien almost 3 years ago
- Status changed from New to Feedback
I'm a bit confused about what this ticket is about. Can you explain a bit more?
Updated by eason pan almost 3 years ago
- File phishing-emails.pcap phishing-emails.pcap added
- File clipboard-202212061426-fp05u.png clipboard-202212061426-fp05u.png added
Victor Julien wrote in #note-1:
I'm a bit confused about what this ticket is about. Can you explain a bit more?
hi Victor
i uploaded a file , what is a phishing-email pcap, in this pcap ,the message body is :
my purpose is to extract this message body, looks this feature is missed.
thanks for your attention
another point , i want to apply the developer role, how and where to apply it?
thanks
Updated by eason pan almost 3 years ago
- Status changed from Feedback to Assigned
- Target version changed from TBD to 7.0.0-rc1
eason pan wrote in #note-2:
Victor Julien wrote in #note-1:
I'm a bit confused about what this ticket is about. Can you explain a bit more?
hi Victor
i uploaded a file , what is a phishing-email pcap, in this pcap ,the message body is :my purpose is to extract this message body, looks this feature is missed.
thanks for your attention
another point , i want to apply the developer role, how and where to apply it?
thanks
Updated by eason pan almost 3 years ago
- Status changed from Assigned to In Progress
Updated by Victor Julien almost 3 years ago
- Target version changed from 7.0.0-rc1 to 8.0.0-beta1
Updated by Philippe Antoine over 1 year ago
- Related to Feature #4905: smtp: add stream app-layer frame support added
Updated by Victor Julien over 1 year ago
- Status changed from In Progress to New
- Assignee changed from eason pan to Community Ticket
- Target version deleted (
8.0.0-beta1)
Updated by Philippe Antoine over 1 year ago
- Related to Task #6474: detect: smtp body inspection keyword added