Feature #6198: Feature Request: Add "SMTP" keywords for use in rules - Suricata - Open Information Security Foundation

Actions

Feature #6198

open

Status:

New

Priority:

Normal

Assignee:

Target version:

Effort:

Difficulty:

Label:

Description

Suricata has an app-layer parser / protocol support for SMTP builtin since long time ago, but no keywords are available for use in rules.

This feature request wants to add SMTP keyword support to Suricata, so that these keywords can be used in rules.

To focus development, this ticket also tries to collect some helpful use cases for such SMTP keywords:

MAIL FROM: <address> and RCPT TO: <address> compatible to use in datasets, e.g. e-mail blacklist
HELO / EHLO: <server> -> dataset blacklist
AUTH to detect multiple login attempts
Return-Codes
Other headers (Subject, Content-Type) in the DATA part, ideally with custom header support

Feel free to add further use cases.

Thanks!

Related issues 4 (4 open — 0 closed)

Actions

Also available in: Atom PDF

Related to Suricata - Feature #776: rules: Add smtp_envelope and smtp_header keywords	Assigned	OISF Dev	Actions
Related to Suricata - Task #6473: detect: smtp keyword coverage	Assigned	Victor Julien	Actions
Related to Suricata - Task #6443: Suricon 2023 brainstorm	Assigned	Victor Julien	Actions
Related to Suricata - Story #6597: rules: improve rules keyword/output parity	New	Victor Julien	Actions