detect: add email.date keyword

email.date matches on MIME EMAIL DATE This keyword maps to the EVE field email.date It is a sticky buffer Supports prefiltering Ticket: #7591
8 months ago · ce2e7aed74
parent 7750129c65
commit ce2e7aed74
2 changed files with 70 additions and 0 deletions
--- a/doc/userguide/rules/email-keywords.rst
+++ b/doc/userguide/rules/email-keywords.rst
@ -98,3 +98,27 @@ Example of a signature that would alert if a packet contains the MIME field ``cc
 .. container:: example-rule

  alert smtp any any -> any any (msg:"Test mime email cc"; :example-rule-emphasis:`email.cc; content:"Emily <emily.roberts@example.com>, Ava <ava.johnson@example.com>, Sophia Wilson <sophia.wilson@example.com>";` sid:1;)
+
+email.date
+----------
+
+Matches the MIME ``Date`` field of an email.
+
+Comparison is case-sensitive.
+
+Syntax::
+
+ email.date; content:"<content to match against>";
+
+``email.date`` is a 'sticky buffer' and can be used as a ``fast_pattern``.
+
+This keyword maps to the EVE field ``email.date``
+
+Example
+^^^^^^^
+
+Example of a signature that would alert if a packet contains the MIME field ``date`` with the value ``Fri, 21 Apr 2023 05:10:36 +0000``
+
+.. container:: example-rule
+
+  alert smtp any any -> any any (msg:"Test mime email date"; :example-rule-emphasis:`email.date; content:"Fri, 21 Apr 2023 05:10:36 +0000";` sid:1;)
--- a/src/detect-email.c
+++ b/src/detect-email.c
@ -26,6 +26,7 @@ static int g_mime_email_from_buffer_id = 0;
 static int g_mime_email_subject_buffer_id = 0;
 static int g_mime_email_to_buffer_id = 0;
 static int g_mime_email_cc_buffer_id = 0;
+static int g_mime_email_date_buffer_id = 0;

 static int DetectMimeEmailFromSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
 {
@ -166,6 +167,40 @@ static InspectionBuffer *GetMimeEmailCcData(DetectEngineThreadCtx *det_ctx,
    return buffer;
 }

+static int DetectMimeEmailDateSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
+{
+    if (DetectBufferSetActiveList(de_ctx, s, g_mime_email_date_buffer_id) < 0)
+        return -1;
+
+    if (DetectSignatureSetAppProto(s, ALPROTO_SMTP) < 0)
+        return -1;
+
+    return 0;
+}
+
+static InspectionBuffer *GetMimeEmailDateData(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv,
+        const int list_id)
+{
+    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+    if (buffer->inspect == NULL) {
+        SMTPTransaction *tx = (SMTPTransaction *)txv;
+
+        const uint8_t *b_email_date = NULL;
+        uint32_t b_email_date_len = 0;
+
+        if (tx->mime_state == NULL)
+            return NULL;
+
+        if (SCDetectMimeEmailGetData(tx->mime_state, &b_email_date, &b_email_date_len, "date") != 1)
+            return NULL;
+
+        InspectionBufferSetup(det_ctx, list_id, buffer, b_email_date, b_email_date_len);
+        InspectionBufferApplyTransforms(buffer, transforms);
+    }
+    return buffer;
+}
+
 void DetectEmailRegister(void)
 {
    SCSigTableElmt kw = { 0 };
@ -213,4 +248,15 @@ void DetectEmailRegister(void)
            DetectHelperBufferMpmRegister("email.cc", "MIME EMAIL CC", ALPROTO_SMTP, false,
                    true, // to server
                    GetMimeEmailCcData);
+
+    kw.name = "email.date";
+    kw.desc = "'Date' field from an email";
+    kw.url = "/rules/email-keywords.html#email.date";
+    kw.Setup = (int (*)(void *, void *, const char *))DetectMimeEmailDateSetup;
+    kw.flags = SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
+    DetectHelperKeywordRegister(&kw);
+    g_mime_email_date_buffer_id =
+            DetectHelperBufferMpmRegister("email.date", "MIME EMAIL DATE", ALPROTO_SMTP, false,
+                    true, // to server
+                    GetMimeEmailDateData);
 }