]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 767d2cc)
eve/email: log existing url type
authorEric Leblond <el@stamus-networks.com>
Sun, 19 Dec 2021 23:36:52 +0000 (00:36 +0100)
committerVictor Julien <vjulien@oisf.net>
Tue, 9 Aug 2022 08:54:18 +0000 (10:54 +0200)
MIME parsing was setting flag on URL to indicate their
estimated type. This patch attach the information to
the email object so the user can extract interesting
email directly:

```
  "email": {
    "status": "PARSE_DONE",
    "from": "Eric Leblond <regit@regit.org>",
    "to": [
      "eric@regit.org"
    ],
    "has_ipv6_url": false,
    "has_ipv4_url": false,
    "has_exe_url": true,
    "url": [
      "http://www.toto.com",
      "http://perdu.com.",
      "https://hacke.me/pown.exe"
    ]
  }
```

src/output-json-email-common.c patch | blob | blame | history

diff --git a/src/output-json-email-common.c b/src/output-json-email-common.c
index cadad2c1c2d56624812bf018d6a41da7a95b4420..49c53b22090793054f7bc3cc2eb511a7c1217e36 100644 (file)
--- a/src/output-json-email-common.c
+++ b/src/output-json-email-common.c
@@ -292,15 +292,27 @@ static bool EveEmailLogJsonData(const Flow *f, void *state, void *vtx, uint64_t
         JsonBuilder *js_url = jb_new_array();
         if (entity->url_list != NULL) {
             MimeDecUrl *url;
+            bool has_ipv6_url = false;
+            bool has_ipv4_url = false;
+            bool has_exe_url = false;
             for (url = entity->url_list; url != NULL; url = url->next) {
                 char *s = BytesToString((uint8_t *)url->url,
                                         (size_t)url->url_len);
                 if (s != NULL) {
                     jb_append_string(js_url, s);
+                    if (url->url_flags & URL_IS_EXE)
+                        has_exe_url = true;
+                    if (url->url_flags & URL_IS_IP6)
+                        has_ipv6_url = true;
+                    if (url->url_flags & URL_IS_IP4)
+                        has_ipv6_url = true;
                     SCFree(s);
                     url_cnt += 1;
                 }
             }
+            jb_set_bool(sjs, "has_ipv6_url", has_ipv6_url);
+            jb_set_bool(sjs, "has_ipv4_url", has_ipv4_url);
+            jb_set_bool(sjs, "has_exe_url", has_exe_url);
         }
         for (entity = entity->child; entity != NULL; entity = entity->next) {
             if (entity->ctnt_flags & CTNT_IS_ATTACHMENT) {
Mirror of https://github.com/OISF/suricata.git