yaml: document new MIME features

author Eric Leblond <eric@regit.org>

Tue, 5 May 2015 12:20:13 +0000 (14:20 +0200)

committer Eric Leblond <eric@regit.org>

Tue, 6 Oct 2015 21:30:45 +0000 (23:30 +0200)
author Eric Leblond <eric@regit.org>
Tue, 5 May 2015 12:20:13 +0000 (14:20 +0200)
committer Eric Leblond <eric@regit.org>
Tue, 6 Oct 2015 21:30:45 +0000 (23:30 +0200)
diff --git a/suricata.yaml.in b/suricata.yaml.in

index 56d4d3628f37b88f137b73be69c6215e815b0615..3833a973f2a4c5f79f59bd3cc02cc70fe5f8996c 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -139,7 +139,18 @@ outputs:
              force-md5: no     # force logging of md5 checksums
          #- drop:
          #    alerts: no       # log alerts that caused drops
-        - smtp
+        - smtp:
+            #extended: yes
+            # custom fields logging from the list:
+            #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
+            #  x-originating-ip, in-reply-to, references, importance, priority,
+            #  sensitivity, organization, content-md5
+            #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
+            # output md5 of fields: body, subject
+            # for the body you need to set app-layer.protocols.smtp.mime.body-md5
+            # to yes
+            #md5: [body, subject]
+
          - ssh
          - stats:
              totals: yes       # stats for all threads merged together
@@ -1291,6 +1302,9 @@ app-layer:
  
          # Extract URLs and save in state data structure
          extract-urls: yes
+        # Set to yes to compute the md5 of the mail body. You will then
+        # be able to journalize it.
+        body-md5: no
        # Configure inspected-tracker for file_data keyword
        inspected-tracker:
          content-limit: 1000
author	Eric Leblond <eric@regit.org>
	Tue, 5 May 2015 12:20:13 +0000 (14:20 +0200)
committer	Eric Leblond <eric@regit.org>
	Tue, 6 Oct 2015 21:30:45 +0000 (23:30 +0200)