Feature #776
open
Task #6473: detect: smtp keyword coverage
rules: Add smtp_envelope and smtp_header keywords
Added by David André over 11 years ago.
Updated 12 months ago.
Description
Add smtp_envelope and smtp_header keywords.
The envelope is composed of communication before the DATA segment ( example at http://en.wikipedia.org/wiki/SMTP#SMTP_transport_example) and the header is the part of the email content before there is the mail body (which should be anything between DATA and the first occurence of CR LF CR LF).
The idea is to allow rules searching for email addresses, mail user-agents, etc.. while not matching on the same pattern(s) being discussed in an email body.
I have some test code for this, let me try to find it and see if it in usable shape.
Email subject and attachment names are also very interesting keywords
Do consider that data need to be normalized as the data:
- can be split in multiple lines
- can be encoded following RFC2047 (
From: =?US-ASCII?Q?Keith_Moore?= <moore@cs.utk.edu> , Subject: =?ISO-8859-1?B?SWYgeW91IGNhbiByZWFkIHRoaXMgeW8=?= )
- Target version set to TBD
- Assignee changed from OISF Dev to Anonymous
- Effort set to medium
- Difficulty set to low
- Assignee set to Community Ticket
- Related to Task #4097: Suricon 2020 brainstorm added
- Subject changed from Add smtp_envelope and smtp_header keywords to rules: Add smtp_envelope and smtp_header keywords
- Status changed from New to Assigned
- Assignee changed from Community Ticket to OISF Dev
- Effort deleted (
medium)
- Difficulty deleted (
low)
- Related to Feature #6198: Feature Request: Add "SMTP" keywords for use in rules added
Also available in: Atom
PDF