[Oisf-devel] DNS/SMTP content modifier fields.

[Puranik, Aditya]

Hi OISF team,
We are trying to explore and add new content modifier fields for SMTP/DNS/ SMB protocols. Also we would like to expand this to other protocols based on our requirements.
At present, Suricata has a very good coverage for HTTP protocol.
https://suricata.readthedocs.io/en/suricata-4.1.2/rules/http-keywords.html
HTTP content modifiers gives us better control to write a new rule or to modify existing signatures.

We are planning to have similar modifiers for protocols like SMTP, DNS, SMB.
For example: SMTP packet exchange/flow contains a bunch of fields like mailfrom, rcptto, date, from, to, cc, reply_to, subject, x_originating_ip, user_agent et al.
Something like : alert smtp $EXTERNAL_NET any -> $HOME_NET (content:"username at example.com"; mail_from; sid:1;)
The similar requirements holds good for other set of protocols mentioned.

We are interested in knowing

1.       What is the right approach to go about adding or modifying the rules with new content modifiers?

2.       What is the placeholder in the code if we start adding these new modifiers in the rules?

3.       If code changes are needed to implement this functionality what is the correct approach to accommodate these changes in existing Suricata design?

Regards,
Aditya

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20190326/3785f172/attachment.html>