[Oisf-users] SMTP payload /eml extraction

[Stephen Castellarin]

Is it possible for Suricata to extract any urls found in the body of an email?
 
 
  On Tue, Mar 29, 2016 at 3:54 AM, Christophe Vandeplas<christophe at vandeplas.com> wrote:   Hi Tom,

Thanks for the feedback.

I can easily extract the stuff using tcpflow or similar. However I was
curious if Suri would have been able to.

Greetings
Christophe

On 24 March 2016 at 16:40, Tom DeCanio <decanio.tom at gmail.com> wrote:
> Christophe;
>
> The code can't write the email (not just the attachments) to disk the way it
> exists today.  However it wouldn't be difficult to add the capability.  In
> fact if you compile suricata with SMTP debug flags turned on you'll see
> suricata display all sorts of email content.  It would be just a matter of
> writing out that content somewhere.
>
> Tom
>
> On Thu, Mar 24, 2016 at 2:41 AM Christophe Vandeplas
> <christophe at vandeplas.com> wrote:
>>
>> Hello there,
>>
>>
>> I already did file extraction on smtp streams, however I'm not sure
>> how to extract the smtp payload (the eml).
>>
>> Any advice?
>>
>>
>> Thanks
>> Christophe
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC:
>> http://oisfevents.net
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160714/410f21d0/attachment.html>