Is it possible for Suricata to extract any urls found in the body of an email?<br> <br> <blockquote style="margin: 0 0 20px 0;"> <header style="font-family:Roboto, sans-serif; color:#6D00F6;"> <div>On Tue, Mar 29, 2016 at 3:54 AM, Christophe Vandeplas</div><div><christophe@vandeplas.com> wrote:</div> </header> <div style="padding: 10px 0 0 20px; margin: 10px 0 0 0; border-left: 1px solid #6D00F6;"> <div id="msgSandbox_ANuti2IAACQNVvo0swXcALc2BpIw_TEXT" class="msgSandbox" style="padding: 1.5em 0.5em 0.5em 1.2em; word-wrap: break-word;">Hi Tom,<br clear="none"><br clear="none">Thanks for the feedback.<br clear="none"><br clear="none">I can easily extract the stuff using tcpflow or similar. However I was<br clear="none">curious if Suri would have been able to.<br clear="none"><br clear="none">Greetings<br clear="none">Christophe<br clear="none"><div class="yQTDBase yqt5766663501" id="yqtfd42598"><br clear="none">On 24 March 2016 at 16:40, Tom DeCanio <<a shape="rect" ymailto="mailto:decanio.tom@gmail.com" href="javascript:return">decanio.tom@gmail.com</a>> wrote:<br clear="none">> Christophe;<br clear="none">><br clear="none">> The code can't write the email (not just the attachments) to disk the way it<br clear="none">> exists today.  However it wouldn't be difficult to add the capability.  In<br clear="none">> fact if you compile suricata with SMTP debug flags turned on you'll see<br clear="none">> suricata display all sorts of email content.  It would be just a matter of<br clear="none">> writing out that content somewhere.<br clear="none">><br clear="none">> Tom<br clear="none">><br clear="none">> On Thu, Mar 24, 2016 at 2:41 AM Christophe Vandeplas<br clear="none">> <<a shape="rect" ymailto="mailto:christophe@vandeplas.com" href="javascript:return">christophe@vandeplas.com</a>> wrote:<br clear="none">>><br clear="none">>> Hello there,<br clear="none">>><br clear="none">>><br clear="none">>> I already did file extraction on smtp streams, however I'm not sure<br clear="none">>> how to extract the smtp payload (the eml).<br clear="none">>><br clear="none">>> Any advice?<br clear="none">>><br clear="none">>><br clear="none">>> Thanks<br clear="none">>> Christophe<br clear="none">>> _______________________________________________<br clear="none">>> Suricata IDS Users mailing list: <a shape="rect" ymailto="mailto:oisf-users@openinfosecfoundation.org" href="javascript:return">oisf-users@openinfosecfoundation.org</a><br clear="none">>> Site: <a shape="rect" href="http://suricata-ids.org " target="_blank">http://suricata-ids.org </a>| Support: <a shape="rect" href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br clear="none">>> List: <a shape="rect" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br clear="none">>> Suricata User Conference November 9-11 in Washington, DC:<br clear="none">>> <a shape="rect" href="http://oisfevents.net" target="_blank">http://oisfevents.net</a><br clear="none">_______________________________________________<br clear="none">Suricata IDS Users mailing list: <a shape="rect" ymailto="mailto:oisf-users@openinfosecfoundation.org" href="javascript:return">oisf-users@openinfosecfoundation.org</a><br clear="none">Site: <a shape="rect" href="http://suricata-ids.org " target="_blank">http://suricata-ids.org </a>| Support: <a shape="rect" href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br clear="none">List: <a shape="rect" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br clear="none">Suricata User Conference November 9-11 in Washington, DC: <a shape="rect" href="http://oisfevents.net" target="_blank">http://oisfevents.net</a></div></div> </div> </blockquote>