Project

General

Profile

Actions
Copy link

Feature #776

open
DA OD

Task #6473: detect: smtp keyword coverage

rules: Add smtp_envelope and smtp_header keywords

Feature #776: rules: Add smtp_envelope and smtp_header keywords

Added by David André about 13 years ago. Updated over 2 years ago.

Status:
Assigned
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:
Beginner

Description

Add smtp_envelope and smtp_header keywords.

The envelope is composed of communication before the DATA segment ( example at http://en.wikipedia.org/wiki/SMTP#SMTP_transport_example) and the header is the part of the email content before there is the mail body (which should be anything between DATA and the first occurence of CR LF CR LF).

The idea is to allow rules searching for email addresses, mail user-agents, etc.. while not matching on the same pattern(s) being discussed in an email body.

Related issues 3 (2 open1 closed)

Related to Suricata - Task #4097: Suricon 2020 brainstormAssignedVictor JulienActions
Related to Suricata - Feature #6198: smtp: add keywords for use in rulesNewOISF DevActions
Related to Suricata - Feature #3487: mime: multi-part parser in RustClosedPhilippe AntoineActions

VJ Updated by Victor Julien about 13 years ago Actions
Copy link
 #1

I have some test code for this, let me try to find it and see if it in usable shape.

CV Updated by Christophe Vandeplas over 12 years ago Actions
Copy link
 #2

Email subject and attachment names are also very interesting keywords

Do consider that data need to be normalized as the data:
  • can be split in multiple lines
  • can be encoded following RFC2047 ( From: =?US-ASCII?Q?Keith_Moore?= <moore@cs.utk.edu> , Subject: =?ISO-8859-1?B?SWYgeW91IGNhbiByZWFkIHRoaXMgeW8=?= )

VJ Updated by Victor Julien over 12 years ago Actions
Copy link
 #3

  • Target version set to TBD

AH Updated by Andreas Herz over 10 years ago Actions
Copy link
 #4

  • Assignee set to OISF Dev

VJ Updated by Victor Julien over 7 years ago Actions
Copy link
 #5

  • Assignee changed from OISF Dev to Anonymous
  • Effort set to medium
  • Difficulty set to low

AH Updated by Andreas Herz about 7 years ago Actions
Copy link
 #6

  • Assignee set to Community Ticket

VJ Updated by Victor Julien over 6 years ago Actions
Copy link
 #7

  • Label Beginner added

VJ Updated by Victor Julien over 5 years ago Actions
Copy link
 #8

  • Related to Task #4097: Suricon 2020 brainstorm added

VJ Updated by Victor Julien over 5 years ago Actions
Copy link
 #9

  • Subject changed from Add smtp_envelope and smtp_header keywords to rules: Add smtp_envelope and smtp_header keywords

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #10

  • Status changed from New to Assigned
  • Assignee changed from Community Ticket to OISF Dev
  • Effort deleted (medium)
  • Difficulty deleted (low)

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
 #11

  • Related to Feature #6198: smtp: add keywords for use in rules added

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
 #12

  • Related to Feature #3487: mime: multi-part parser in Rust added

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
 #13

  • Parent task set to #6473
Actions
Copy link

Also available in: PDF Atom