[Oisf-users] SMTP filemd5 support
Victor Julien
lists at inliniac.net
Wed Apr 6 06:07:19 UTC 2016
On 06-04-16 05:57, Blair Steven wrote:
> Hi all,
>
> I am having some trouble with filemd5 and matching attachments in an
> SMTP transaction.
>
> If the test file (EICAR-Test-File) is the first or second attachment the
> MD5 is correctly detected and the transaction is dropped, but if the
> file is attached later the rule is missed.
>
> I've delved into the code, and there is a mis-match in DetectFileInspect
> between file->txid (0) and det_ctx->tx_id (1) - this means the file
> matching never happens.
>
> From what I can tell this difference comes from freeing the
> SMTPTransaction prior to processing the files (stored on the SMTPState),
> but I can't for the life of me figure out what needs to be done to
> actually get the file processed (and the offending packet dropped).
>
> I'm aware that some of the SMTP file stuff is new and I'm more than
> willing to fix the issue, if I can get some guidance as to what path to
> take.
>
Can you (privately) share a pcap to reproduce?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list