From: Eric Leblond <eric@regit.org>
Date: Tue, 5 May 2015 09:55:46 +0000 (+0200)
Subject: email-json: add capa to display subject md5
X-Git-Tag: suricata-3.0RC1~107
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a719ea3c928e0e4c961713c8b6dca72b0abd99a7;p=thirdparty%2Fsuricata.git

email-json: add capa to display subject md5

To be able to identify mails with identical subjects without
using the subject itself as a key, it is possible to use the md5
hash of the subjet string. This allows to limit the privacy impact.
---

diff --git a/src/output-json-email-common.c b/src/output-json-email-common.c
index 84294c45b0..fae43a2e9a 100644
--- a/src/output-json-email-common.c
+++ b/src/output-json-email-common.c
@@ -55,10 +55,12 @@
 #ifdef HAVE_LIBJANSSON
 #include <jansson.h>
 
-#define LOG_EMAIL_DEFAULT    0
-#define LOG_EMAIL_EXTENDED   (1<<0)
-#define LOG_EMAIL_ARRAY      (1<<1) /* require array handling */
-#define LOG_EMAIL_COMMA      (1<<2) /* require array handling */
+#define LOG_EMAIL_DEFAULT       0
+#define LOG_EMAIL_EXTENDED      (1<<0)
+#define LOG_EMAIL_ARRAY         (1<<1) /* require array handling */
+#define LOG_EMAIL_COMMA         (1<<2) /* require array handling */
+#define LOG_EMAIL_BODY_MD5      (1<<3)
+#define LOG_EMAIL_SUBJECT_MD5   (1<<4)
 
 struct {
     char *config_field;
@@ -117,6 +119,35 @@ static json_t* JsonEmailJsonArrayFromCommaList(const uint8_t *val, size_t len)
     return ajs;
 }
 
+
+#ifdef HAVE_NSS
+static void JsonEmailLogJSONMd5(OutputJsonEmailCtx *email_ctx, json_t *js, SMTPTransaction *tx)
+{
+    if (email_ctx->flags & LOG_EMAIL_SUBJECT_MD5) {
+        MimeDecField *field;
+        MimeDecEntity *entity = tx->msg_tail;
+        if (entity == NULL) {
+            return;
+        }
+        field = MimeDecFindField(entity, "subject");
+        if (field != NULL) {
+            unsigned char md5[MD5_LENGTH];
+            char smd5[2 * MD5_LENGTH + 1];
+            char *value = BytesToString((uint8_t *)field->value , field->value_len);
+            if (value) {
+                size_t i,x;
+                HASH_HashBuf(HASH_AlgMD5, md5, (unsigned char *)value, strlen(value));
+                for (i = 0, x = 0; x < sizeof(md5); x++) {
+                    i += snprintf(smd5 + i, 255-i, "%02x", md5[x]);
+                }
+                json_object_set_new(js, "subject_md5", json_string(smd5));
+                SCFree(value);
+            }
+        }
+    }
+}
+#endif
+
 static int JsonEmailAddToJsonArray(const uint8_t *val, size_t len, void *data)
 {
     json_t *ajs = data;
@@ -345,6 +376,10 @@ TmEcode JsonEmailLogJson(JsonEmailLogThread *aft, json_t *js, const Packet *p, F
     if ((email_ctx->flags & LOG_EMAIL_EXTENDED) || (email_ctx->fields != 0))
         JsonEmailLogJSONCustom(email_ctx, sjs, tx);
 
+#ifdef HAVE_NSS
+    JsonEmailLogJSONMd5(email_ctx, sjs, tx);
+#endif
+
     if (sjs) {
         json_object_set_new(js, "email", sjs);
         SCReturnInt(TM_ECODE_OK);
@@ -399,6 +434,23 @@ void OutputEmailInitConf(ConfNode *conf, OutputJsonEmailCtx *email_ctx)
                 }
             }
         }
+
+        ConfNode *md5_conf;
+        if ((md5_conf = ConfNodeLookupChild(conf, "md5")) != NULL) {
+            ConfNode *field;
+            TAILQ_FOREACH(field, &md5_conf->head, next) {
+                if (field != NULL) {
+                    if (strcmp("body", field->val) == 0) {
+                        SCLogInfo("Going to log email body md5");
+                        email_ctx->flags |= LOG_EMAIL_BODY_MD5;
+                    }
+                    if (strcmp("subject", field->val) == 0) {
+                        SCLogInfo("Going to log email subject md5");
+                        email_ctx->flags |= LOG_EMAIL_SUBJECT_MD5;
+                    }
+                }
+            }
+        }
     }
     return;
 }