Feature #549: Extract file attachments from emails
smtp file_data support
Updated by Victor Julien about 10 years ago
We should probably inspect the decoded attachments with it, like Snort does: "When the traffic is SMTP the file_data points to the decoded attachments when decoding is enabled for those preprocessors, otherwise to the entire data body." http://blog.snort.org/2011/08/snort-291-where-does-filedata-point.html
Updated by Eoin Miller almost 10 years ago
This type of functionality would be VERY useful for creating alerting based on spammed out/speared attacks coming in via SMTP. Without this, currently you are unable to even create IDS alerting for .exe files, encrypted zip files, etc that are coming to your users through the mail flow.