From 09db7c7ac128c51ce4a40d5c3bd3f7cbbfee9fe3 Mon Sep 17 00:00:00 2001 From: Alice Akaki Date: Thu, 20 Mar 2025 17:32:58 -0400 Subject: [PATCH] detect: add mime email.subject keyword email.subject matches on MIME EMAIL SUBJECT This keyword maps to the EVE field email.subject It is a sticky buffer Supports prefiltering Ticket: #7595 --- doc/userguide/rules/email-keywords.rst | 24 +++++++++++++ src/detect-email.c | 49 ++++++++++++++++++++++++++ 2 files changed, 73 insertions(+) diff --git a/doc/userguide/rules/email-keywords.rst b/doc/userguide/rules/email-keywords.rst index b7924b250a..d2ecc4c385 100644 --- a/doc/userguide/rules/email-keywords.rst +++ b/doc/userguide/rules/email-keywords.rst @@ -26,3 +26,27 @@ Example of a signature that would alert if a packet contains the MIME field ``fr .. container:: example-rule alert smtp any any -> any any (msg:"Test mime email from"; :example-rule-emphasis:`email.from; content:"toto ";` sid:1;) + +email.subject +------------- + +Matches the MIME ``Subject`` field of an email. + +Comparison is case-sensitive. + +Syntax:: + + email.subject; content:""; + +``email.subject`` is a 'sticky buffer' and can be used as a ``fast_pattern``. + +This keyword maps to the EVE field ``email.subject`` + +Example +^^^^^^^ + +Example of a signature that would alert if a packet contains the MIME field ``subject`` with the value ``This is a test email`` + +.. container:: example-rule + + alert smtp any any -> any any (msg:"Test mime email subject"; :example-rule-emphasis:`email.subject; content:"This is a test email";` sid:1;) diff --git a/src/detect-email.c b/src/detect-email.c index 23a69d66b6..131a25f06b 100644 --- a/src/detect-email.c +++ b/src/detect-email.c @@ -23,6 +23,7 @@ #include "rust.h" static int g_mime_email_from_buffer_id = 0; +static int g_mime_email_subject_buffer_id = 0; static int DetectMimeEmailFromSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) { @@ -61,6 +62,43 @@ static InspectionBuffer *GetMimeEmailFromData(DetectEngineThreadCtx *det_ctx, return buffer; } +static int DetectMimeEmailSubjectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) +{ + if (DetectBufferSetActiveList(de_ctx, s, g_mime_email_subject_buffer_id) < 0) + return -1; + + if (DetectSignatureSetAppProto(s, ALPROTO_SMTP) < 0) + return -1; + + return 0; +} + +static InspectionBuffer *GetMimeEmailSubjectData(DetectEngineThreadCtx *det_ctx, + const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv, + const int list_id) +{ + InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); + if (buffer->inspect == NULL) { + SMTPTransaction *tx = (SMTPTransaction *)txv; + + const uint8_t *b_email_sub = NULL; + uint32_t b_email_sub_len = 0; + + if ((tx->mime_state != NULL)) { + if (SCDetectMimeEmailGetData( + tx->mime_state, &b_email_sub, &b_email_sub_len, "subject") != 1) + return NULL; + } + + if (b_email_sub == NULL || b_email_sub_len == 0) + return NULL; + + InspectionBufferSetup(det_ctx, list_id, buffer, b_email_sub, b_email_sub_len); + InspectionBufferApplyTransforms(buffer, transforms); + } + return buffer; +} + void DetectEmailRegister(void) { SCSigTableElmt kw = { 0 }; @@ -75,4 +113,15 @@ void DetectEmailRegister(void) DetectHelperBufferMpmRegister("email.from", "MIME EMAIL FROM", ALPROTO_SMTP, false, true, // to server GetMimeEmailFromData); + + kw.name = "email.subject"; + kw.desc = "'Subject' field from an email"; + kw.url = "/rules/email-keywords.html#email.subject"; + kw.Setup = (int (*)(void *, void *, const char *))DetectMimeEmailSubjectSetup; + kw.flags = SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; + DetectHelperKeywordRegister(&kw); + g_mime_email_subject_buffer_id = DetectHelperBufferMpmRegister("email.subject", + "MIME EMAIL SUBJECT", ALPROTO_SMTP, false, + true, // to server + GetMimeEmailSubjectData); } -- 2.47.2