From ad6c2f1411c21d6fdcd580c30d72cc31a607e4e2 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Mon, 20 Dec 2021 00:36:52 +0100 Subject: [PATCH] eve/email: log existing url type MIME parsing was setting flag on URL to indicate their estimated type. This patch attach the information to the email object so the user can extract interesting email directly: ``` "email": { "status": "PARSE_DONE", "from": "Eric Leblond ", "to": [ "eric@regit.org" ], "has_ipv6_url": false, "has_ipv4_url": false, "has_exe_url": true, "url": [ "http://www.toto.com", "http://perdu.com.", "https://hacke.me/pown.exe" ] } ``` --- src/output-json-email-common.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/output-json-email-common.c b/src/output-json-email-common.c index cadad2c1c2..49c53b2209 100644 --- a/src/output-json-email-common.c +++ b/src/output-json-email-common.c @@ -292,15 +292,27 @@ static bool EveEmailLogJsonData(const Flow *f, void *state, void *vtx, uint64_t JsonBuilder *js_url = jb_new_array(); if (entity->url_list != NULL) { MimeDecUrl *url; + bool has_ipv6_url = false; + bool has_ipv4_url = false; + bool has_exe_url = false; for (url = entity->url_list; url != NULL; url = url->next) { char *s = BytesToString((uint8_t *)url->url, (size_t)url->url_len); if (s != NULL) { jb_append_string(js_url, s); + if (url->url_flags & URL_IS_EXE) + has_exe_url = true; + if (url->url_flags & URL_IS_IP6) + has_ipv6_url = true; + if (url->url_flags & URL_IS_IP4) + has_ipv6_url = true; SCFree(s); url_cnt += 1; } } + jb_set_bool(sjs, "has_ipv6_url", has_ipv6_url); + jb_set_bool(sjs, "has_ipv4_url", has_ipv4_url); + jb_set_bool(sjs, "has_exe_url", has_exe_url); } for (entity = entity->child; entity != NULL; entity = entity->next) { if (entity->ctnt_flags & CTNT_IS_ATTACHMENT) { -- 2.47.2