[Oisf-devel] SMTP MIME-decoder lower-cases URLs / log final server response
Chris Wakelin
c.d.wakelin at reading.ac.uk
Tue Feb 24 16:08:38 UTC 2015
I've been using the SMTP decoder options in Suricata dev for a month or
so and it's proving very useful. However, there's a couple of things
that would help in the eve JSON output.
1) (I sent this to the list earlier, but I think it probably got spammed
as I included a live Upatre URL as an example :-( )
It's set to lower-case URLs before logging them; in
src/util-decode-mime.c :-
> /* Copy over to temp URL while decoding */
> tempUrlLen = 0;
> for (i = 0; i < tokLen && tok[i] != 0; i++) {
>
> // URL decoding would probably go here
>
> /* url is all lowercase */
> tempUrl[tempUrlLen] = tolower(tok[i]);
> tempUrlLen++;
> }
>
> /* Determine if URL points to an EXE */
> if (IsExeUrl(tempUrl, tempUrlLen)) {
is there a good reason for this?
2) It would be nice if it could log the server response after the DATA
command completes as it helps with tracking, e.g.:
250 OK id=1YQ2ub-0004pD-8E
I had a quick look at adding this myself, but got a bit lost in the code!
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
More information about the Oisf-devel
mailing list