From: Eric Leblond <eric@regit.org>
Date: Tue, 5 May 2015 12:20:13 +0000 (+0200)
Subject: yaml: document new MIME features
X-Git-Tag: suricata-3.0RC1~104
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d1b0a5aa6d6368c40c347b2fde8ddfacded1cc53;p=thirdparty%2Fsuricata.git

yaml: document new MIME features
---

diff --git a/suricata.yaml.in b/suricata.yaml.in
index 56d4d3628f..3833a973f2 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -139,7 +139,18 @@ outputs:
             force-md5: no     # force logging of md5 checksums
         #- drop:
         #    alerts: no       # log alerts that caused drops
-        - smtp
+        - smtp:
+            #extended: yes
+            # custom fields logging from the list:
+            #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
+            #  x-originating-ip, in-reply-to, references, importance, priority,
+            #  sensitivity, organization, content-md5
+            #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
+            # output md5 of fields: body, subject
+            # for the body you need to set app-layer.protocols.smtp.mime.body-md5
+            # to yes
+            #md5: [body, subject]
+
         - ssh
         - stats:
             totals: yes       # stats for all threads merged together
@@ -1291,6 +1302,9 @@ app-layer:
 
         # Extract URLs and save in state data structure
         extract-urls: yes
+        # Set to yes to compute the md5 of the mail body. You will then
+        # be able to journalize it.
+        body-md5: no
       # Configure inspected-tracker for file_data keyword
       inspected-tracker:
         content-limit: 1000