Bug #7950
openPotentially incorrect decoding of quoted-printable mime text attachments
Description
If I am correct, there might be a decoding problem with decoding quoted-printable encoded email text attachments in Suricata.
In addition, if there is an empty line at the end of the last attachment (before the ".") it is also appended to the decoded file. AFAIK, that should not be the case.
I believe I found a test case where suricata 7.0.12 and 8.0.1 and the GMime library (as a reference) all produce different text file output and checksums which might induce an IoC matching problem.
- "testcase.smtp" is the SMTP stream from the PCAP extracted from wireshark follow TCP stream.
- "Attachment2-gmime" is the output that is generated by the GMime library.
- "Attachment2-suri7" and "Attachment-suri8" are the respective outputs of the above versions when activating filestore.
$ diff Attachment2-gmime Attachment2-suri7 119c119 < =================================================================== --- > ==3D================================================================ 246,247c246 < +static gboolean related_url_string_cb(field_info *finfo, gboolean doit, < const gchar** ret_url) --- > +static gboolean related_url_string_cb(field_info *finfo, gboolean doit, const gchar** ret_url) 451c450 < =================================================================== --- > ==========================================3D======================== 1037a1037 >
$ diff Attachment2-gmime Attachment2-suri8 119c119 < =================================================================== --- > ==3D================================================================ 246,247c246 < +static gboolean related_url_string_cb(field_info *finfo, gboolean doit, < const gchar** ret_url) --- > +static gboolean related_url_string_cb(field_info *finfo, gboolean doit, const gchar** ret_url) 451c450 < =================================================================== --- > ==========================================D======================== 1037a1037 >
Hopefully I did not make a mistake. But if I am correct, there might be unwanted IoC differences.
Best regards,
MaJa
Files
Updated by Victor Julien about 18 hours ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Philippe Antoine
- Target version changed from TBD to 9.0.0-beta1
@Philippe Antoine can you check this and mark for backport(s) if needed?
Updated by Philippe Antoine about 12 hours ago
Suricata 8 and 7 seem incorrect.
So does Gmime in another way, while comparing to Wireshark IMF exported object
Updated by Philippe Antoine about 12 hours ago
- Label Needs backport to 7.0, Needs backport to 8.0 added
Not really a backport for 7, but a fix for the C parser...
Updated by OISF Ticketbot about 12 hours ago
- Label deleted (
Needs backport to 8.0)
Updated by OISF Ticketbot about 12 hours ago
- Label deleted (
Needs backport to 7.0)
Updated by Philippe Antoine about 12 hours ago
- Status changed from Assigned to In Review