<div dir="ltr"><div><div>Christophe;<br><br></div>The code can't write the email (not just the attachments) to disk the way it exists today.  However it wouldn't be difficult to add the capability.  In fact if you compile suricata with SMTP debug flags turned on you'll see suricata display all sorts of email content.  It would be just a matter of writing out that content somewhere.<br><br></div>Tom<br></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Mar 24, 2016 at 2:41 AM Christophe Vandeplas <<a href="mailto:christophe@vandeplas.com">christophe@vandeplas.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello there,<br>
<br>
<br>
I already did file extraction on smtp streams, however I'm not sure<br>
how to extract the smtp payload (the eml).<br>
<br>
Any advice?<br>
<br>
<br>
Thanks<br>
Christophe<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 9-11 in Washington, DC: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a></blockquote></div>