Project

General

Profile

Actions

Feature #885

closed

Feature #549: Extract file attachments from emails

smtp file_data support

Added by Victor Julien over 11 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Subtasks 1 (0 open1 closed)

Feature #1283: support for snort's file_data keywordClosedActions
Actions #1

Updated by Victor Julien over 11 years ago

  • Tracker changed from Bug to Feature
Actions #2

Updated by Victor Julien over 11 years ago

We should probably inspect the decoded attachments with it, like Snort does: "When the traffic is SMTP the file_data points to the decoded attachments when decoding is enabled for those preprocessors, otherwise to the entire data body." http://blog.snort.org/2011/08/snort-291-where-does-filedata-point.html

Actions #3

Updated by Anoop Saldanha over 11 years ago

- headers
- raw_headers
- envelope.from
- envelope.to

to start with. Won't be hard to support these.

Let's start with file_data first of course.

Actions #4

Updated by Victor Julien about 11 years ago

  • Target version set to TBD
Actions #5

Updated by Will Metcalf about 11 years ago

This has been TBD'd?!?! Wheres Peter? I need a shoulder to cry on. We need this.

Actions #6

Updated by Eoin Miller about 11 years ago

This type of functionality would be VERY useful for creating alerting based on spammed out/speared attacks coming in via SMTP. Without this, currently you are unable to even create IDS alerting for .exe files, encrypted zip files, etc that are coming to your users through the mail flow.

Actions #7

Updated by Victor Julien about 11 years ago

  • Target version changed from TBD to 3.0RC2
  • Parent task set to #549

This depends on #549.

Actions #8

Updated by Victor Julien over 10 years ago

  • Assignee changed from Anoop Saldanha to Victor Julien
  • Target version changed from 3.0RC2 to 2.1beta2
Actions #9

Updated by Victor Julien about 10 years ago

  • Target version changed from 2.1beta2 to 2.1beta3
Actions #10

Updated by Victor Julien almost 10 years ago

  • Target version changed from 2.1beta3 to 2.1beta4
Actions #11

Updated by Victor Julien over 9 years ago

  • Status changed from Assigned to Closed
  • Assignee changed from Victor Julien to Giuseppe Longo
Actions

Also available in: Atom PDF