Feature #885
closedUpdated by Victor Julien over 11 years ago
We should probably inspect the decoded attachments with it, like Snort does: "When the traffic is SMTP the file_data points to the decoded attachments when decoding is enabled for those preprocessors, otherwise to the entire data body." http://blog.snort.org/2011/08/snort-291-where-does-filedata-point.html
Updated by Anoop Saldanha over 11 years ago
- headers
- raw_headers
- envelope.from
- envelope.to
to start with. Won't be hard to support these.
Let's start with file_data first of course.
Updated by Will Metcalf almost 11 years ago
This has been TBD'd?!?! Wheres Peter? I need a shoulder to cry on. We need this.
Updated by Eoin Miller almost 11 years ago
This type of functionality would be VERY useful for creating alerting based on spammed out/speared attacks coming in via SMTP. Without this, currently you are unable to even create IDS alerting for .exe files, encrypted zip files, etc that are coming to your users through the mail flow.
Updated by Victor Julien almost 11 years ago
- Target version changed from TBD to 3.0RC2
- Parent task set to #549
This depends on #549.
Updated by Victor Julien about 10 years ago
- Assignee changed from Anoop Saldanha to Victor Julien
- Target version changed from 3.0RC2 to 2.1beta2
Updated by Victor Julien about 10 years ago
- Target version changed from 2.1beta2 to 2.1beta3
Updated by Victor Julien almost 10 years ago
- Target version changed from 2.1beta3 to 2.1beta4
Updated by Victor Julien over 9 years ago
- Status changed from Assigned to Closed
- Assignee changed from Victor Julien to Giuseppe Longo