Project

General

Profile

Actions
Copy link

Feature #6198

open

Feature Request: Add "SMTP" keywords for use in rules

Added by Andreas Dolp over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Suricata has an app-layer parser / protocol support for SMTP builtin since long time ago, but no keywords are available for use in rules.

This feature request wants to add SMTP keyword support to Suricata, so that these keywords can be used in rules.

To focus development, this ticket also tries to collect some helpful use cases for such SMTP keywords:
  • MAIL FROM: <address> and RCPT TO: <address> compatible to use in datasets, e.g. e-mail blacklist
  • HELO / EHLO: <server> -> dataset blacklist
  • AUTH to detect multiple login attempts
  • Return-Codes
  • Other headers (Subject, Content-Type) in the DATA part, ideally with custom header support

Feel free to add further use cases.

Thanks!

Related issues 4 (4 open0 closed)

Related to Suricata - Feature #776: rules: Add smtp_envelope and smtp_header keywordsAssignedOISF DevActions
Related to Suricata - Task #6473: detect: smtp keyword coverageAssignedVictor JulienActions
Related to Suricata - Task #6443: Suricon 2023 brainstormAssignedVictor JulienActions
Related to Suricata - Story #6597: rules: improve rules keyword/output parityNewVictor JulienActions
Actions
Copy link
 #1

Updated by Victor Julien over 1 year ago

  • Related to Feature #776: rules: Add smtp_envelope and smtp_header keywords added
Actions
Copy link
 #2

Updated by Victor Julien 12 months ago

  • Related to Task #6473: detect: smtp keyword coverage added
Actions
Copy link
 #3

Updated by Victor Julien 12 months ago

  • Related to Task #6443: Suricon 2023 brainstorm added
Actions
Copy link
 #4

Updated by Juliana Fajardini Reichow 2 months ago

  • Related to Story #6597: rules: improve rules keyword/output parity added
Actions
Copy link

Also available in: Atom PDF