27 static int g_mime_email_from_buffer_id = 0;
28 static int g_mime_email_subject_buffer_id = 0;
29 static int g_mime_email_to_buffer_id = 0;
30 static int g_mime_email_cc_buffer_id = 0;
31 static int g_mime_email_date_buffer_id = 0;
32 static int g_mime_email_message_id_buffer_id = 0;
33 static int g_mime_email_x_mailer_buffer_id = 0;
34 static int g_mime_email_url_buffer_id = 0;
35 static int g_mime_email_received_buffer_id = 0;
36 static int g_mime_email_body_md5_buffer_id = 0;
49 static bool GetMimeEmailFromData(
50 const void *txv,
const uint8_t _flow_flags,
const uint8_t **data, uint32_t *data_len)
55 return (SCDetectMimeEmailGetData(tx->
mime_state, data, data_len,
"from") == 1);
69 static bool GetMimeEmailSubjectData(
70 const void *txv,
const uint8_t _flow_flags,
const uint8_t **data, uint32_t *data_len)
75 return (SCDetectMimeEmailGetData(tx->
mime_state, data, data_len,
"subject") == 1);
89 static bool GetMimeEmailToData(
90 const void *txv,
const uint8_t _flow_flags,
const uint8_t **data, uint32_t *data_len)
95 return (SCDetectMimeEmailGetData(tx->
mime_state, data, data_len,
"to") == 1);
109 static bool GetMimeEmailCcData(
110 const void *txv,
const uint8_t _flow_flags,
const uint8_t **data, uint32_t *data_len)
115 return (SCDetectMimeEmailGetData(tx->
mime_state, data, data_len,
"cc") == 1);
129 static bool GetMimeEmailDateData(
130 const void *txv,
const uint8_t _flow_flags,
const uint8_t **data, uint32_t *data_len)
135 return (SCDetectMimeEmailGetData(tx->
mime_state, data, data_len,
"date") == 1);
149 static bool GetMimeEmailMessageIdData(
150 const void *txv,
const uint8_t _flow_flags,
const uint8_t **data, uint32_t *data_len)
155 return (SCDetectMimeEmailGetData(tx->
mime_state, data, data_len,
"message-id") == 1);
169 static bool GetMimeEmailXMailerData(
170 const void *txv,
const uint8_t _flow_flags,
const uint8_t **data, uint32_t *data_len)
175 return (SCDetectMimeEmailGetData(tx->
mime_state, data, data_len,
"x-mailer") == 1);
190 const uint8_t
flags, uint32_t idx,
const uint8_t **buf, uint32_t *buf_len)
197 if (SCDetectMimeEmailGetUrl(tx->
mime_state, buf, buf_len, idx) != 1) {
215 const uint8_t
flags, uint32_t idx,
const uint8_t **buf, uint32_t *buf_len)
223 if (SCDetectMimeEmailGetDataArray(tx->
mime_state, buf, buf_len,
"received", idx) != 1) {
239 if (!MimeBodyMd5IsEnabled()) {
241 SCMimeSmtpConfigBodyMd5(
true);
247 static bool GetMimeEmailBodyMd5Data(
248 const void *txv,
const uint8_t _flow_flags,
const uint8_t **data, uint32_t *data_len)
254 SCDetectMimeEmailGetBodyMd5(tx->
mime_state, data, data_len);
263 kw.
name =
"email.from";
264 kw.
desc =
"'From' field from an email";
265 kw.
url =
"/rules/email-keywords.html#email.from";
266 kw.
Setup = DetectMimeEmailFromSetup;
270 "email.from",
"MIME EMAIL FROM",
ALPROTO_SMTP, STREAM_TOSERVER, GetMimeEmailFromData);
272 kw.
name =
"email.subject";
273 kw.
desc =
"'Subject' field from an email";
274 kw.
url =
"/rules/email-keywords.html#email.subject";
275 kw.
Setup = DetectMimeEmailSubjectSetup;
279 "MIME EMAIL SUBJECT",
ALPROTO_SMTP, STREAM_TOSERVER, GetMimeEmailSubjectData);
281 kw.
name =
"email.to";
282 kw.
desc =
"'To' field from an email";
283 kw.
url =
"/rules/email-keywords.html#email.to";
284 kw.
Setup = DetectMimeEmailToSetup;
288 "email.to",
"MIME EMAIL TO",
ALPROTO_SMTP, STREAM_TOSERVER, GetMimeEmailToData);
290 kw.
name =
"email.cc";
291 kw.
desc =
"'Cc' field from an email";
292 kw.
url =
"/rules/email-keywords.html#email.cc";
293 kw.
Setup = DetectMimeEmailCcSetup;
297 "email.cc",
"MIME EMAIL CC",
ALPROTO_SMTP, STREAM_TOSERVER, GetMimeEmailCcData);
299 kw.
name =
"email.date";
300 kw.
desc =
"'Date' field from an email";
301 kw.
url =
"/rules/email-keywords.html#email.date";
302 kw.
Setup = DetectMimeEmailDateSetup;
306 "email.date",
"MIME EMAIL DATE",
ALPROTO_SMTP, STREAM_TOSERVER, GetMimeEmailDateData);
308 kw.
name =
"email.message_id";
309 kw.
desc =
"'Message-Id' field from an email";
310 kw.
url =
"/rules/email-keywords.html#email.message_id";
311 kw.
Setup = DetectMimeEmailMessageIdSetup;
315 "MIME EMAIL Message-Id",
ALPROTO_SMTP, STREAM_TOSERVER, GetMimeEmailMessageIdData);
317 kw.
name =
"email.x_mailer";
318 kw.
desc =
"'X-Mailer' field from an email";
319 kw.
url =
"/rules/email-keywords.html#email.x_mailer";
320 kw.
Setup = DetectMimeEmailXMailerSetup;
324 "MIME EMAIL X-Mailer",
ALPROTO_SMTP, STREAM_TOSERVER, GetMimeEmailXMailerData);
326 kw.
name =
"email.url";
327 kw.
desc =
"'Url' extracted from an email";
328 kw.
url =
"/rules/email-keywords.html#email.url";
329 kw.
Setup = DetectMimeEmailUrlSetup;
333 "email.url",
"MIME EMAIL URL",
ALPROTO_SMTP, STREAM_TOSERVER, GetMimeEmailUrlData);
335 kw.
name =
"email.received";
336 kw.
desc =
"'Received' field from an email";
337 kw.
url =
"/rules/email-keywords.html#email.received";
338 kw.
Setup = DetectMimeEmailReceivedSetup;
342 "MIME EMAIL RECEIVED",
ALPROTO_SMTP, STREAM_TOSERVER, GetMimeEmailReceivedData);
344 if (!MimeBodyMd5IsDisabled()) {
346 kw.
name =
"email.body_md5";
347 kw.
desc =
"'md5' hash generated from an email body";
348 kw.
url =
"/rules/email-keywords.html#email.body_md5";
349 kw.
Setup = DetectMimeEmailBodyMd5Setup;
355 "MIME EMAIL BODY MD5",
ALPROTO_SMTP, STREAM_TOSERVER, GetMimeEmailBodyMd5Data);