[Oisf-devel] SMTP MIME-decoder lower-cases URLs / log final server response
Victor Julien
victor at inliniac.net
Thu Mar 5 07:51:45 UTC 2015
On 02/24/2015 05:08 PM, Chris Wakelin wrote:
> I've been using the SMTP decoder options in Suricata dev for a month or
> so and it's proving very useful. However, there's a couple of things
> that would help in the eve JSON output.
>
> 1) (I sent this to the list earlier, but I think it probably got spammed
> as I included a live Upatre URL as an example :-( )
>
> It's set to lower-case URLs before logging them; in
> src/util-decode-mime.c :-
>
>> /* Copy over to temp URL while decoding */
>> tempUrlLen = 0;
>> for (i = 0; i < tokLen && tok[i] != 0; i++) {
>>
>> // URL decoding would probably go here
>>
>> /* url is all lowercase */
>> tempUrl[tempUrlLen] = tolower(tok[i]);
>> tempUrlLen++;
>> }
>>
>> /* Determine if URL points to an EXE */
>> if (IsExeUrl(tempUrl, tempUrlLen)) {
>
> is there a good reason for this?
I'm assuming it's to normalize the URL so it can be de-duplicated more
effectively in post-processing.
But not sure what the reason was, this is a contributed feature :)
> 2) It would be nice if it could log the server response after the DATA
> command completes as it helps with tracking, e.g.:
>
> 250 OK id=1YQ2ub-0004pD-8E
>
> I had a quick look at adding this myself, but got a bit lost in the code!
Yeah this doesn't look very trivial. Feel free to open a feature ticket.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list