detect/smtp: smtp.mail_from keyword

Ticket: 7517

It is a sticky buffer mapping to the smtp.mail_from log field

diff --git a/doc/userguide/rules/smtp-keywords.rst b/doc/userguide/rules/smtp-keywords.rst
index bd5e9488ed6f5e650b7f1dc11110dc5659e007f0..bbc12a515cafd223fa5a8c7dc22efd8cecfd8b9e 100644 (file)
--- a/doc/userguide/rules/smtp-keywords.rst
+++ b/doc/userguide/rules/smtp-keywords.rst
@@ -40,6 +40,25 @@ Signature example::
 
 This keyword maps to the eve.json log field ``smtp.helo``
 
+smtp.mail_from
+--------------
+
+SMTP mail from is the parameter passed to the first MAIL FROM command from the client.
+
+Syntax::
+
+ smtp.mail_from; content:"spam";
+
+Signature example::
+
+ alert smtp any any -> any any (msg:"SMTP mail from spam"; smtp.mail_from; content:"spam"; sid:2; rev:1;)
+
+``smtp.mail_from`` is a 'sticky buffer'.
+
+``smtp.mail_from`` can be used as ``fast_pattern``.
+
+This keyword maps to the eve.json log field ``smtp.mail_from``
+
 
 Frames
 ------

diff --git a/src/detect-smtp.c b/src/detect-smtp.c
index 3c8e5bc7a4bec1f25db395c9d1d0ba6c57f83058..7ebdc21ac62172b1bbce84098168799bba98aaee 100644 (file)
--- a/src/detect-smtp.c
+++ b/src/detect-smtp.c
@@ -31,6 +31,7 @@
 #include "rust.h"
 
 static int g_smtp_helo_buffer_id = 0;
+static int g_smtp_mail_from_buffer_id = 0;
 
 static int DetectSmtpHeloSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
 {
@@ -60,6 +61,32 @@ static InspectionBuffer *GetSmtpHeloData(DetectEngineThreadCtx *det_ctx,
     return buffer;
 }
 
+static int DetectSmtpMailFromSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
+{
+    if (DetectBufferSetActiveList(de_ctx, s, g_smtp_mail_from_buffer_id) < 0)
+        return -1;
+
+    if (DetectSignatureSetAppProto(s, ALPROTO_SMTP) < 0)
+        return -1;
+
+    return 0;
+}
+
+static InspectionBuffer *GetSmtpMailFromData(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv,
+        const int list_id)
+{
+    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+    if (buffer->inspect == NULL) {
+        SMTPTransaction *tx = (SMTPTransaction *)txv;
+        if (tx->mail_from == NULL || tx->mail_from_len == 0)
+            return NULL;
+        InspectionBufferSetup(det_ctx, list_id, buffer, tx->mail_from, tx->mail_from_len);
+        InspectionBufferApplyTransforms(buffer, transforms);
+    }
+    return buffer;
+}
+
 void SCDetectSMTPRegister(void)
 {
     SCSigTableElmt kw = { 0 };
@@ -73,4 +100,15 @@ void SCDetectSMTPRegister(void)
             DetectHelperBufferMpmRegister("smtp.helo", "SMTP helo", ALPROTO_SMTP, false,
                     true, // to server
                     GetSmtpHeloData);
+
+    kw.name = "smtp.mail_from";
+    kw.desc = "SMTP mail from buffer";
+    kw.url = "/rules/smtp-keywords.html#smtp-mail-from";
+    kw.Setup = (int (*)(void *, void *, const char *))DetectSmtpMailFromSetup;
+    kw.flags = SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
+    DetectHelperKeywordRegister(&kw);
+    g_smtp_mail_from_buffer_id =
+            DetectHelperBufferMpmRegister("smtp.mail_from", "SMTP MAIL FROM", ALPROTO_SMTP, false,
+                    true, // to server
+                    GetSmtpMailFromData);
 }