--- /dev/null
+# SMTP raw extraction
+
+This test verifies that the flag app-layers.protocols.smtp.raw-extraction set to
+True will make suricata dump e-mails in raw form, including headers and e-mail
+content.
+
+The pcap file is downloaded from
+
+```
+https://osqa-ask.wireshark.org/questions/33094/extract-an-attachment-email-smtp-cap
+```
--- /dev/null
+%YAML 1.1
+---
+
+pcap-file:
+ checksum-checks: no
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - file-store:
+ version: 2
+ enabled: yes
+##
+## Step 5: App Layer Protocol Configuration
+##
+
+# Configure the app-layer parsers. The protocols section details each
+# protocol.
+#
+# The option "enabled" takes 3 values - "yes", "no", "detection-only".
+# "yes" enables both detection and the parser, "no" disables both, and
+# "detection-only" enables protocol detection only (parser disabled).
+app-layer:
+ protocols:
+ smtp:
+ enabled: yes
+ raw-extraction: yes
+ # Configure SMTP-MIME Decoder
+ mime:
+ # Decode MIME messages from SMTP transactions
+ # (may be resource intensive)
+ # This field supercedes all others because it turns the entire
+ # process on or off
+ decode-mime: no
+
+ # Decode MIME entity bodies (ie. base64, quoted-printable, etc.)
+ decode-base64: yes
+ decode-quoted-printable: yes
+
+ # Maximum bytes per header data value stored in the data structure
+ # (default is 2000)
+ header-value-depth: 2000
+
+ # Extract URLs and save in state data structure
+ extract-urls: no
+ # Set to yes to compute the md5 of the mail body. You will then
+ # be able to journalize it.
+ body-md5: no
+ # Configure inspected-tracker for file_data keyword
+ inspected-tracker:
+ content-limit: 100000
+ content-inspect-min-size: 32768
+ content-inspect-window: 4096
projects / thirdparty / suricata-verify.git / commitdiff
