56 #define LOG_EMAIL_DEFAULT 0
57 #define LOG_EMAIL_EXTENDED (1<<0)
58 #define LOG_EMAIL_ARRAY (1<<1)
59 #define LOG_EMAIL_COMMA (1<<2)
60 #define LOG_EMAIL_BODY_MD5 (1<<3)
61 #define LOG_EMAIL_SUBJECT_MD5 (1<<4)
87 static inline char *SkipWhiteSpaceTill(
char *p,
char *savep)
93 while (((*sp ==
'\t') || (*sp ==
' ')) && (sp < savep)) {
99 static bool EveEmailJsonArrayFromCommaList(JsonBuilder *js,
const uint8_t *val,
size_t len)
105 if (
likely(to_line != NULL)) {
106 p = strtok_r(to_line,
",", &savep);
111 sp = SkipWhiteSpaceTill(p, savep);
112 jb_append_string(js, sp);
113 while ((p = strtok_r(NULL,
",", &savep)) != NULL) {
114 sp = SkipWhiteSpaceTill(p, savep);
115 jb_append_string(js, sp);
128 if (entity == NULL) {
134 SCMd5HashBufferToHex((uint8_t *)field->
value, field->
value_len, smd5,
sizeof(smd5));
135 jb_set_string(js,
"subject_md5", smd5);
145 for (i = 0, x = 0; x <
sizeof(mime_state->
md5); x++) {
146 i += snprintf(s + i, 255 - i,
"%02x", mime_state->
md5[x]);
148 jb_set_string(js,
"body_md5", s);
153 static int JsonEmailAddToJsonArray(
const uint8_t *val,
size_t len,
void *data)
155 JsonBuilder *ajs = data;
160 jb_append_string(ajs, value);
168 JsonBuilderMark mark = { 0, 0, 0 };
171 if (entity == NULL) {
176 if (((email_ctx->
fields & (1ULL<<f)) != 0)
181 jb_get_mark(js, &mark);
187 jb_restore_mark(js, &mark);
192 jb_get_mark(js, &mark);
194 if (EveEmailJsonArrayFromCommaList(js, field->
value, field->
value_len)) {
197 jb_restore_mark(js, &mark);
218 static bool EveEmailLogJsonData(
const Flow *f,
void *state,
void *vtx, uint64_t tx_id, JsonBuilder *sjs)
223 JsonBuilderMark mark = { 0, 0, 0 };
230 if (smtp_state == NULL) {
231 SCLogDebug(
"no smtp state, so no request logging");
238 SCLogDebug(
"lets go mime_state %p, entity %p, state_flag %u", mime_state, entity, mime_state ? mime_state->
state_flag : 0);
244 if ((mime_state != NULL)) {
245 if (entity == NULL) {
260 char * sp = SkipWhiteSpaceTill(s, s + strlen(s));
261 jb_set_string(sjs,
"from", sp);
269 jb_get_mark(sjs, &mark);
270 jb_open_array(sjs,
"to");
271 if (EveEmailJsonArrayFromCommaList(sjs, field->
value, field->
value_len)) {
274 jb_restore_mark(sjs, &mark);
281 jb_get_mark(sjs, &mark);
282 jb_open_array(sjs,
"cc");
283 if (EveEmailJsonArrayFromCommaList(sjs, field->
value, field->
value_len)) {
286 jb_restore_mark(sjs, &mark);
297 JsonBuilder *js_attch = jb_new_array();
298 JsonBuilder *js_url = jb_new_array();
301 for (url = entity->
url_list; url != NULL; url = url->
next) {
305 jb_append_string(js_url, s);
311 for (entity = entity->
child; entity != NULL; entity = entity->
next) {
316 jb_append_string(js_attch, s);
322 for (url = entity->
url_list; url != NULL; url = url->
next) {
326 jb_append_string(js_url, s);
335 jb_set_object(sjs,
"attachment", js_attch);
340 jb_set_object(sjs,
"url", js_url);
354 JsonBuilderMark mark = { 0, 0, 0 };
356 jb_get_mark(js, &mark);
357 jb_open_object(js,
"email");
358 if (!EveEmailLogJsonData(f, state, vtx, tx_id, js)) {
359 jb_restore_mark(js, &mark);
364 EveEmailLogJSONCustom(email_ctx, js, tx);
367 EveEmailLogJSONMd5(email_ctx, js, tx);
380 return EveEmailLogJsonData(f, smtp_state, tx, tx_id, js);
392 if (extended != NULL) {
411 email_ctx->
fields |= (1ULL<<f);
420 email_ctx->
flags = 0;
426 if (strcmp(
"body", field->
val) == 0) {
427 SCLogInfo(
"Going to log the md5 sum of email body");
430 if (strcmp(
"subject", field->
val) == 0) {
431 SCLogInfo(
"Going to log the md5 sum of email subject");