Project

General

Profile

Actions

Feature #8693

open
SD OD

Task #6473: tracking: detect: smtp keyword coverage

detect: smtp/email body and header inspection keywords

Feature #8693: detect: smtp/email body and header inspection keywords

Added by Stuart DC 4 days ago. Updated 1 day ago.

Status:
Triaged
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Create new sticky buffers separating the email headers from the body. Ideally, a raw and normalized buffer for each.
Normalization would include handling base64 and quoted-printable encoding.

email.headers / email.raw.headers

// Raw
Received: by mail-qv1-xf64.google.com with SMTP id 12345.1 for <user@victim.io>; Mon, 29 Jun 2026 08:49:07 -0700 (PDT)
Date: Mon, 29 Jun 2026 15:20:55 +0000
To: =?UTF-8?B?VmljdGlt?= <user@victim.io>
From: =?UTF-8?B?QXR0YWNrZXI=?= <super@baddie.xyz>
Subject: =?UTF-8?B?UmVtaW5kZXI6IFBsZWFzZSB2ZXJpZnkgeW91ciBhY2NvdW50IGJlZm9yZSA2LiBKdWx5IDIwMjYgKCM2TjZBWVVPOSk=?=
Message-ID: <12345667@victim.io>
MIME-Version: 1.0
Content-Type: text/html

email.body / email.raw.body

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body>
  </body>
</html>


Related issues 3 (3 open0 closed)

Related to Suricata - Feature #776: rules: Add smtp_envelope and smtp_header keywordsAssignedOISF DevActions
Related to Suricata - Feature #6198: smtp: add keywords for use in rulesTriagedOISF DevActions
Related to Suricata - Feature #5737: smtp body extractNewCommunity TicketActions
Actions

Also available in: PDF Atom