55 #define LOG_EMAIL_DEFAULT 0
56 #define LOG_EMAIL_EXTENDED (1<<0)
57 #define LOG_EMAIL_ARRAY (1<<1)
58 #define LOG_EMAIL_COMMA (1<<2)
59 #define LOG_EMAIL_BODY_MD5 (1<<3)
60 #define LOG_EMAIL_SUBJECT_MD5 (1<<4)
86 static inline char *SkipWhiteSpaceTill(
char *p,
char *savep)
92 while (((*sp ==
'\t') || (*sp ==
' ')) && (sp < savep)) {
98 static bool EveEmailJsonArrayFromCommaList(JsonBuilder *js,
const uint8_t *val,
size_t len)
104 if (
likely(to_line != NULL)) {
105 p = strtok_r(to_line,
",", &savep);
110 sp = SkipWhiteSpaceTill(p, savep);
111 jb_append_string(js, sp);
112 while ((p = strtok_r(NULL,
",", &savep)) != NULL) {
113 sp = SkipWhiteSpaceTill(p, savep);
114 jb_append_string(js, sp);
127 if (entity == NULL) {
132 char smd5[SC_MD5_HEX_LEN + 1];
133 SCMd5HashBufferToHex((uint8_t *)field->
value, field->
value_len, smd5,
sizeof(smd5));
134 jb_set_string(js,
"subject_md5", smd5);
141 jb_set_hex(js,
"body_md5", mime_state->
md5, (uint32_t)
sizeof(mime_state->
md5));
146 static int JsonEmailAddToJsonArray(
const uint8_t *val,
size_t len,
void *data)
148 JsonBuilder *ajs = data;
152 jb_append_string_from_bytes(ajs, val, (uint32_t)
len);
159 JsonBuilderMark mark = { 0, 0, 0 };
162 if (entity == NULL) {
167 if (((email_ctx->
fields & (1ULL<<f)) != 0)
172 jb_get_mark(js, &mark);
178 jb_restore_mark(js, &mark);
183 jb_get_mark(js, &mark);
185 if (EveEmailJsonArrayFromCommaList(js, field->
value, field->
value_len)) {
188 jb_restore_mark(js, &mark);
194 jb_set_string_from_bytes(
205 static bool EveEmailLogJsonData(
const Flow *f,
void *state,
void *vtx, uint64_t tx_id, JsonBuilder *sjs)
210 JsonBuilderMark mark = { 0, 0, 0 };
217 if (smtp_state == NULL) {
218 SCLogDebug(
"no smtp state, so no request logging");
225 SCLogDebug(
"lets go mime_state %p, entity %p, state_flag %u", mime_state, entity, mime_state ? mime_state->
state_flag : 0);
231 if ((mime_state != NULL)) {
232 if (entity == NULL) {
247 char * sp = SkipWhiteSpaceTill(s, s + strlen(s));
248 jb_set_string(sjs,
"from", sp);
256 jb_get_mark(sjs, &mark);
257 jb_open_array(sjs,
"to");
258 if (EveEmailJsonArrayFromCommaList(sjs, field->
value, field->
value_len)) {
261 jb_restore_mark(sjs, &mark);
268 jb_get_mark(sjs, &mark);
269 jb_open_array(sjs,
"cc");
270 if (EveEmailJsonArrayFromCommaList(sjs, field->
value, field->
value_len)) {
273 jb_restore_mark(sjs, &mark);
284 JsonBuilder *js_attach = jb_new_array();
285 JsonBuilder *js_url = jb_new_array();
288 bool has_ipv6_url =
false;
289 bool has_ipv4_url =
false;
290 bool has_exe_url =
false;
291 for (url = entity->
url_list; url != NULL; url = url->
next) {
292 jb_append_string_from_bytes(js_url, url->
url, url->
url_len);
301 jb_set_bool(sjs,
"has_ipv6_url", has_ipv6_url);
302 jb_set_bool(sjs,
"has_ipv4_url", has_ipv4_url);
303 jb_set_bool(sjs,
"has_exe_url", has_exe_url);
305 for (entity = entity->
child; entity != NULL; entity = entity->
next) {
312 for (url = entity->
url_list; url != NULL; url = url->
next) {
313 jb_append_string_from_bytes(js_url, url->
url, url->
url_len);
318 if (attach_cnt > 0) {
320 jb_set_object(sjs,
"attachment", js_attach);
325 jb_set_object(sjs,
"url", js_url);
339 JsonBuilderMark mark = { 0, 0, 0 };
341 jb_get_mark(js, &mark);
342 jb_open_object(js,
"email");
343 if (!EveEmailLogJsonData(f, state, vtx, tx_id, js)) {
344 jb_restore_mark(js, &mark);
349 EveEmailLogJSONCustom(email_ctx, js, tx);
352 EveEmailLogJSONMd5(email_ctx, js, tx);
365 return EveEmailLogJsonData(f, smtp_state, tx, tx_id, js);
377 if (extended != NULL) {
392 email_ctx->
fields |= (1ULL << f);
400 email_ctx->
flags = 0;
405 if (strcmp(
"body", field->
val) == 0) {
406 SCLogInfo(
"Going to log the md5 sum of email body");
409 if (strcmp(
"subject", field->
val) == 0) {
410 SCLogInfo(
"Going to log the md5 sum of email subject");