Suricata

While trying to create a test to prove this issue, when I was successfully able to create the test, I noticed an anomaly event MIME_LONG_LINE. Upon investigating the code and then the RFC 2045 and 2822, I found that if we receive more than 998 bytes as a part of MIME excluding CRLF, we must ideally reject the line as the 998 character limit is due to limitations in many implementations which send, receive, or store Internet Message Format messages that simply cannot handle more than 998 characters on a line In fact, modern implementations are enforcing 78 Bytes long line.

Conclusion: Even in theory, if this happens, we have it handled well as it should be as per the RFCs. This issue is invalid and must be rejected.
Demonstrated by test https://github.com/OISF/suricata-verify/pull/1187

Reopening because the anomaly doesn't mean the processing necessarily stops. Needs more testing.