Actions
Feature #776
openTask #6473: detect: smtp keyword coverage
rules: Add smtp_envelope and smtp_header keywords
Description
Add smtp_envelope and smtp_header keywords.
The envelope is composed of communication before the DATA segment ( example at http://en.wikipedia.org/wiki/SMTP#SMTP_transport_example) and the header is the part of the email content before there is the mail body (which should be anything between DATA and the first occurence of CR LF CR LF).
The idea is to allow rules searching for email addresses, mail user-agents, etc.. while not matching on the same pattern(s) being discussed in an email body.
Updated by Victor Julien over 12 years ago
I have some test code for this, let me try to find it and see if it in usable shape.
Updated by Christophe Vandeplas over 11 years ago
Email subject and attachment names are also very interesting keywords
Do consider that data need to be normalized as the data:- can be split in multiple lines
- can be encoded following RFC2047 (
From: =?US-ASCII?Q?Keith_Moore?= <moore@cs.utk.edu> , Subject: =?ISO-8859-1?B?SWYgeW91IGNhbiByZWFkIHRoaXMgeW8=?=)
Updated by Victor Julien almost 7 years ago
- Assignee changed from OISF Dev to Anonymous
- Effort set to medium
- Difficulty set to low
Updated by Victor Julien over 4 years ago
- Related to Task #4097: Suricon 2020 brainstorm added
Updated by Victor Julien over 4 years ago
- Subject changed from Add smtp_envelope and smtp_header keywords to rules: Add smtp_envelope and smtp_header keywords
Updated by Victor Julien almost 3 years ago
- Status changed from New to Assigned
- Assignee changed from Community Ticket to OISF Dev
- Effort deleted (
medium) - Difficulty deleted (
low)
Updated by Victor Julien about 2 years ago
- Related to Feature #6198: smtp: add keywords for use in rules added
Updated by Philippe Antoine almost 2 years ago
- Related to Feature #3487: mime: multi-part parser in Rust added
Actions