Actions
Feature #5737
opensmtp body extract
Effort:
medium
Difficulty:
medium
Label:
Description
Description: extract message body from smtp data.currently this feature is missed.
1. add a config item to enable it or not in suricata.yaml
2. output message body to eve.json
```
smtp:
enabled: no
raw-extraction: no
# Configure SMTP-MIME Decoder
mime:
# Decode MIME messages from SMTP transactions
# (may be resource intensive)
# This field supersedes all others because it turns the entire
# process on or off
decode-mime: no
- Decode MIME entity bodies (ie. Base64, quoted-printable, etc.)
decode-base64: no
decode-quoted-printable: no
- Maximum bytes per header data value stored in the data structure
- (default is 2000)
header-value-depth: 2000
- Extract URLs and save in state data structure
extract-urls: no - Scheme of URLs to extract
- (default is [http])
#extract-urls-schemes: [http, https, ftp, mailto] - Log the scheme of URLs that are extracted
- (default is no)
#log-url-scheme: yes - Set to yes to compute the md5 of the mail body. You will then
- be able to journalize it.
body: yes ----> to enable or disbale it
body-md5: yes
```
Files
Actions