Actions
Feature #6198
openFeature Request: Add "SMTP" keywords for use in rules
Description
Suricata has an app-layer parser / protocol support for SMTP builtin since long time ago, but no keywords are available for use in rules.
This feature request wants to add SMTP keyword support to Suricata, so that these keywords can be used in rules.
To focus development, this ticket also tries to collect some helpful use cases for such SMTP keywords:MAIL FROM: <address>
andRCPT TO: <address>
compatible to use in datasets, e.g. e-mail blacklistHELO / EHLO: <server>
-> dataset blacklistAUTH
to detect multiple login attempts- Return-Codes
- Other headers (
Subject
,Content-Type
) in the DATA part, ideally with custom header support
Feel free to add further use cases.
Thanks!
Updated by Victor Julien over 1 year ago
- Related to Feature #776: rules: Add smtp_envelope and smtp_header keywords added
Updated by Victor Julien about 1 year ago
- Related to Task #6473: detect: smtp keyword coverage added
Updated by Victor Julien about 1 year ago
- Related to Task #6443: Suricon 2023 brainstorm added
Updated by Juliana Fajardini Reichow 4 months ago
- Related to Story #6597: rules: improve rules keyword/output parity added
Actions