[Oisf-users] SMTP filemd5 support
Blair Steven
Blair.Steven at alliedtelesis.co.nz
Wed Apr 6 03:57:37 UTC 2016
Hi all,
I am having some trouble with filemd5 and matching attachments in an
SMTP transaction.
If the test file (EICAR-Test-File) is the first or second attachment the
MD5 is correctly detected and the transaction is dropped, but if the
file is attached later the rule is missed.
I've delved into the code, and there is a mis-match in DetectFileInspect
between file->txid (0) and det_ctx->tx_id (1) - this means the file
matching never happens.
From what I can tell this difference comes from freeing the
SMTPTransaction prior to processing the files (stored on the SMTPState),
but I can't for the life of me figure out what needs to be done to
actually get the file processed (and the offending packet dropped).
I'm aware that some of the SMTP file stuff is new and I'm more than
willing to fix the issue, if I can get some guidance as to what path to
take.
Thanks very much
-Blair
More information about the Oisf-users
mailing list