eve/email: log existing url type

MIME parsing was setting flag on URL to indicate their estimated type. This patch attach the information to the email object so the user can extract interesting email directly: ``` "email": { "status": "PARSE_DONE", "from": "Eric Leblond <regit@regit.org>", "to": [ "eric@regit.org" ], "has_ipv6_url": false, "has_ipv4_url": false, "has_exe_url": true, "url": [ "http://www.toto.com", "http://perdu.com.", "https://hacke.me/pown.exe" ] } ```
4 years ago · ad6c2f1411
parent 767d2cc9ba
commit ad6c2f1411
1 changed files with 12 additions and 0 deletions
--- a/src/output-json-email-common.c
+++ b/src/output-json-email-common.c
@ -292,15 +292,27 @@ static bool EveEmailLogJsonData(const Flow *f, void *state, void *vtx, uint64_t
        JsonBuilder *js_url = jb_new_array();
        if (entity->url_list != NULL) {
            MimeDecUrl *url;
+            bool has_ipv6_url = false;
+            bool has_ipv4_url = false;
+            bool has_exe_url = false;
            for (url = entity->url_list; url != NULL; url = url->next) {
                char *s = BytesToString((uint8_t *)url->url,
                                        (size_t)url->url_len);
                if (s != NULL) {
                    jb_append_string(js_url, s);
+                    if (url->url_flags & URL_IS_EXE)
+                        has_exe_url = true;
+                    if (url->url_flags & URL_IS_IP6)
+                        has_ipv6_url = true;
+                    if (url->url_flags & URL_IS_IP4)
+                        has_ipv6_url = true;
                    SCFree(s);
                    url_cnt += 1;
                }
            }
+            jb_set_bool(sjs, "has_ipv6_url", has_ipv6_url);
+            jb_set_bool(sjs, "has_ipv4_url", has_ipv4_url);
+            jb_set_bool(sjs, "has_exe_url", has_exe_url);
        }
        for (entity = entity->child; entity != NULL; entity = entity->next) {
            if (entity->ctnt_flags & CTNT_IS_ATTACHMENT) {