[Oisf-devel] SMTP MIME-decoder lower-cases URLs

Chris Wakelin c.d.wakelin at reading.ac.uk
Fri Jan 16 19:21:20 UTC 2015


I've been trying out the new SMTP decoder options in Suricata dev. It's
doing very useful work extracting metadata and URIs from e-mail messages
floating past, but unfortunately it's set to lower-case the latter which
has led to me wasting some time when trying to analyse some of the
recent Upatre (-> Dyre banking trojan) links in e-mails (that are
otherwise hard to spot).

Is there a good reason for this behaviour?

The relevant code in src/util-decode-mime.c

>                 /* Copy over to temp URL while decoding */
>                 tempUrlLen = 0;
>                 for (i = 0; i < tokLen && tok[i] != 0; i++) {
>                     // URL decoding would probably go here
>                     /* url is all lowercase */
>                     tempUrl[tempUrlLen] = tolower(tok[i]);
>                     tempUrlLen++;
>                 }
>                 /* Determine if URL points to an EXE */
>                 if (IsExeUrl(tempUrl, tempUrlLen)) {

suggests it is deliberate!

Best Wishes,

Typical eve.json entry (anonymised/defanged a bit):

"flow_id":9690432896,"in_iface":"zc:1 at 12","event_type":"smtp",
"smtp":{"from":"<donotreply at iloydsbank[.]co[.]uk>",
"to":["<someone at reading.ac.uk>"],
"subject":"Important information about your account",

The malicious URLs actually had "/LLOYDS_BANK_NOTIFICATION/" in them.

Best Wishes,

P.S. This was running git master as of 14th January - I've just upgraded
to yesterday's :-)

Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094

More information about the Oisf-devel mailing list