Project

General

Profile

Actions

Feature #6198

open

Feature Request: Add "SMTP" keywords for use in rules

Added by Andreas Dolp over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Suricata has an app-layer parser / protocol support for SMTP builtin since long time ago, but no keywords are available for use in rules.

This feature request wants to add SMTP keyword support to Suricata, so that these keywords can be used in rules.

To focus development, this ticket also tries to collect some helpful use cases for such SMTP keywords:
  • MAIL FROM: <address> and RCPT TO: <address> compatible to use in datasets, e.g. e-mail blacklist
  • HELO / EHLO: <server> -> dataset blacklist
  • AUTH to detect multiple login attempts
  • Return-Codes
  • Other headers (Subject, Content-Type) in the DATA part, ideally with custom header support

Feel free to add further use cases.

Thanks!


Related issues 4 (4 open0 closed)

Related to Suricata - Feature #776: rules: Add smtp_envelope and smtp_header keywordsAssignedOISF DevActions
Related to Suricata - Task #6473: detect: smtp keyword coverageAssignedVictor JulienActions
Related to Suricata - Task #6443: Suricon 2023 brainstormAssignedVictor JulienActions
Related to Suricata - Story #6597: rules: improve rules keyword/output parityNewVictor JulienActions
Actions #1

Updated by Victor Julien over 1 year ago

  • Related to Feature #776: rules: Add smtp_envelope and smtp_header keywords added
Actions #2

Updated by Victor Julien about 1 year ago

  • Related to Task #6473: detect: smtp keyword coverage added
Actions #3

Updated by Victor Julien about 1 year ago

  • Related to Task #6443: Suricon 2023 brainstorm added
Actions #4

Updated by Juliana Fajardini Reichow 4 months ago

  • Related to Story #6597: rules: improve rules keyword/output parity added
Actions

Also available in: Atom PDF