From: Philippe Antoine <pantoine@oisf.net>
Date: Fri, 24 Jan 2025 12:30:47 +0000 (+0100)
Subject: detect/smtp: smtp.mail_from keyword
X-Git-Tag: suricata-8.0.0-beta1~515
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=32594766b701666a8768b48d724cdd63b74ea469;p=thirdparty%2Fsuricata.git

detect/smtp: smtp.mail_from keyword

Ticket: 7517

It is a sticky buffer mapping to the smtp.mail_from log field
---

diff --git a/doc/userguide/rules/smtp-keywords.rst b/doc/userguide/rules/smtp-keywords.rst
index bd5e9488ed..bbc12a515c 100644
--- a/doc/userguide/rules/smtp-keywords.rst
+++ b/doc/userguide/rules/smtp-keywords.rst
@@ -40,6 +40,25 @@ Signature example::
 
 This keyword maps to the eve.json log field ``smtp.helo``
 
+smtp.mail_from
+--------------
+
+SMTP mail from is the parameter passed to the first MAIL FROM command from the client.
+
+Syntax::
+
+ smtp.mail_from; content:"spam";
+
+Signature example::
+
+ alert smtp any any -> any any (msg:"SMTP mail from spam"; smtp.mail_from; content:"spam"; sid:2; rev:1;)
+
+``smtp.mail_from`` is a 'sticky buffer'.
+
+``smtp.mail_from`` can be used as ``fast_pattern``.
+
+This keyword maps to the eve.json log field ``smtp.mail_from``
+
 
 Frames
 ------
diff --git a/src/detect-smtp.c b/src/detect-smtp.c
index 3c8e5bc7a4..7ebdc21ac6 100644
--- a/src/detect-smtp.c
+++ b/src/detect-smtp.c
@@ -31,6 +31,7 @@
 #include "rust.h"
 
 static int g_smtp_helo_buffer_id = 0;
+static int g_smtp_mail_from_buffer_id = 0;
 
 static int DetectSmtpHeloSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
 {
@@ -60,6 +61,32 @@ static InspectionBuffer *GetSmtpHeloData(DetectEngineThreadCtx *det_ctx,
     return buffer;
 }
 
+static int DetectSmtpMailFromSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
+{
+    if (DetectBufferSetActiveList(de_ctx, s, g_smtp_mail_from_buffer_id) < 0)
+        return -1;
+
+    if (DetectSignatureSetAppProto(s, ALPROTO_SMTP) < 0)
+        return -1;
+
+    return 0;
+}
+
+static InspectionBuffer *GetSmtpMailFromData(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv,
+        const int list_id)
+{
+    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+    if (buffer->inspect == NULL) {
+        SMTPTransaction *tx = (SMTPTransaction *)txv;
+        if (tx->mail_from == NULL || tx->mail_from_len == 0)
+            return NULL;
+        InspectionBufferSetup(det_ctx, list_id, buffer, tx->mail_from, tx->mail_from_len);
+        InspectionBufferApplyTransforms(buffer, transforms);
+    }
+    return buffer;
+}
+
 void SCDetectSMTPRegister(void)
 {
     SCSigTableElmt kw = { 0 };
@@ -73,4 +100,15 @@ void SCDetectSMTPRegister(void)
             DetectHelperBufferMpmRegister("smtp.helo", "SMTP helo", ALPROTO_SMTP, false,
                     true, // to server
                     GetSmtpHeloData);
+
+    kw.name = "smtp.mail_from";
+    kw.desc = "SMTP mail from buffer";
+    kw.url = "/rules/smtp-keywords.html#smtp-mail-from";
+    kw.Setup = (int (*)(void *, void *, const char *))DetectSmtpMailFromSetup;
+    kw.flags = SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
+    DetectHelperKeywordRegister(&kw);
+    g_smtp_mail_from_buffer_id =
+            DetectHelperBufferMpmRegister("smtp.mail_from", "SMTP MAIL FROM", ALPROTO_SMTP, false,
+                    true, // to server
+                    GetSmtpMailFromData);
 }