55 #define LOG_EMAIL_DEFAULT 0
56 #define LOG_EMAIL_EXTENDED (1<<0)
57 #define LOG_EMAIL_ARRAY (1<<1)
58 #define LOG_EMAIL_COMMA (1<<2)
59 #define LOG_EMAIL_BODY_MD5 (1<<3)
60 #define LOG_EMAIL_SUBJECT_MD5 (1<<4)
86 static inline char *SkipWhiteSpaceTill(
char *p,
char *savep)
92 while (((*sp ==
'\t') || (*sp ==
' ')) && (sp < savep)) {
98 static bool EveEmailJsonArrayFromCommaList(JsonBuilder *js,
const uint8_t *val,
size_t len)
104 if (
likely(to_line != NULL)) {
105 p = strtok_r(to_line,
",", &savep);
110 sp = SkipWhiteSpaceTill(p, savep);
111 jb_append_string(js, sp);
112 while ((p = strtok_r(NULL,
",", &savep)) != NULL) {
113 sp = SkipWhiteSpaceTill(p, savep);
114 jb_append_string(js, sp);
127 if (entity == NULL) {
133 SCMd5HashBufferToHex((uint8_t *)field->
value, field->
value_len, smd5,
sizeof(smd5));
134 jb_set_string(js,
"subject_md5", smd5);
144 for (i = 0, x = 0; x <
sizeof(mime_state->
md5); x++) {
145 i += snprintf(s + i, 255 - i,
"%02x", mime_state->
md5[x]);
147 jb_set_string(js,
"body_md5", s);
152 static int JsonEmailAddToJsonArray(
const uint8_t *val,
size_t len,
void *data)
154 JsonBuilder *ajs = data;
159 jb_append_string(ajs, value);
167 JsonBuilderMark mark = { 0, 0, 0 };
170 if (entity == NULL) {
175 if (((email_ctx->
fields & (1ULL<<f)) != 0)
180 jb_get_mark(js, &mark);
186 jb_restore_mark(js, &mark);
191 jb_get_mark(js, &mark);
193 if (EveEmailJsonArrayFromCommaList(js, field->
value, field->
value_len)) {
196 jb_restore_mark(js, &mark);
217 static bool EveEmailLogJsonData(
const Flow *f,
void *state,
void *vtx, uint64_t tx_id, JsonBuilder *sjs)
222 JsonBuilderMark mark = { 0, 0, 0 };
229 if (smtp_state == NULL) {
230 SCLogDebug(
"no smtp state, so no request logging");
237 SCLogDebug(
"lets go mime_state %p, entity %p, state_flag %u", mime_state, entity, mime_state ? mime_state->
state_flag : 0);
243 if ((mime_state != NULL)) {
244 if (entity == NULL) {
259 char * sp = SkipWhiteSpaceTill(s, s + strlen(s));
260 jb_set_string(sjs,
"from", sp);
268 jb_get_mark(sjs, &mark);
269 jb_open_array(sjs,
"to");
270 if (EveEmailJsonArrayFromCommaList(sjs, field->
value, field->
value_len)) {
273 jb_restore_mark(sjs, &mark);
280 jb_get_mark(sjs, &mark);
281 jb_open_array(sjs,
"cc");
282 if (EveEmailJsonArrayFromCommaList(sjs, field->
value, field->
value_len)) {
285 jb_restore_mark(sjs, &mark);
296 JsonBuilder *js_attch = jb_new_array();
297 JsonBuilder *js_url = jb_new_array();
300 for (url = entity->
url_list; url != NULL; url = url->
next) {
304 jb_append_string(js_url, s);
310 for (entity = entity->
child; entity != NULL; entity = entity->
next) {
315 jb_append_string(js_attch, s);
321 for (url = entity->
url_list; url != NULL; url = url->
next) {
325 jb_append_string(js_url, s);
334 jb_set_object(sjs,
"attachment", js_attch);
339 jb_set_object(sjs,
"url", js_url);
353 JsonBuilderMark mark = { 0, 0, 0 };
355 jb_get_mark(js, &mark);
356 jb_open_object(js,
"email");
357 if (!EveEmailLogJsonData(f, state, vtx, tx_id, js)) {
358 jb_restore_mark(js, &mark);
363 EveEmailLogJSONCustom(email_ctx, js, tx);
366 EveEmailLogJSONMd5(email_ctx, js, tx);
379 return EveEmailLogJsonData(f, smtp_state, tx, tx_id, js);
391 if (extended != NULL) {
410 email_ctx->
fields |= (1ULL<<f);
419 email_ctx->
flags = 0;
425 if (strcmp(
"body", field->
val) == 0) {
426 SCLogInfo(
"Going to log the md5 sum of email body");
429 if (strcmp(
"subject", field->
val) == 0) {
430 SCLogInfo(
"Going to log the md5 sum of email subject");