aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '116d1763d9'
${ noResults }
suricata/doc/userguide/rules/email-keywords.rst

225 lines
6.2 KiB
ReStructuredText
Raw Blame History

Email Keywords
==============
.. role:: example-rule-emphasis
email.from
----------
Matches the MIME ``From`` field of an email.
Comparison is case-sensitive.
Syntax::
email.from; content:"<content to match against>";
``email.from`` is a 'sticky buffer' and can be used as a ``fast_pattern``.
This keyword maps to the EVE field ``email.from``
Example
^^^^^^^
Example of a signature that would alert if a packet contains the MIME field ``from`` with the value ``toto <toto@gmail.com>``
.. container:: example-rule
alert smtp any any -> any any (msg:"Test mime email from"; :example-rule-emphasis:`email.from; content:"toto <toto@gmail.com>";` sid:1;)
email.subject
-------------
Matches the MIME ``Subject`` field of an email.
Comparison is case-sensitive.
Syntax::
email.subject; content:"<content to match against>";
``email.subject`` is a 'sticky buffer' and can be used as a ``fast_pattern``.
This keyword maps to the EVE field ``email.subject``
Example
^^^^^^^
Example of a signature that would alert if a packet contains the MIME field ``subject`` with the value ``This is a test email``
.. container:: example-rule
alert smtp any any -> any any (msg:"Test mime email subject"; :example-rule-emphasis:`email.subject; content:"This is a test email";` sid:1;)
email.to
--------
Matches the MIME ``To`` field of an email.
Comparison is case-sensitive.
Syntax::
email.to; content:"<content to match against>";
``email.to`` is a 'sticky buffer' and can be used as a ``fast_pattern``.
This keyword maps to the EVE field ``email.to``
Example
^^^^^^^
Example of a signature that would alert if a packet contains the MIME field ``to`` with the value ``172.16.92.2@linuxbox``
.. container:: example-rule
alert smtp any any -> any any (msg:"Test mime email to"; :example-rule-emphasis:`email.to; content:"172.16.92.2@linuxbox";` sid:1;)
email.cc
--------
Matches the MIME ``Cc`` field of an email.
Comparison is case-sensitive.
Syntax::
email.cc; content:"<content to match against>";
``email.cc`` is a 'sticky buffer' and can be used as a ``fast_pattern``.
This keyword maps to the EVE field ``email.cc[]``
Example
^^^^^^^
Example of a signature that would alert if a packet contains the MIME field ``cc`` with the value ``Emily <emily.roberts@example.com>, Ava <ava.johnson@example.com>, Sophia Wilson <sophia.wilson@example.com>``
.. container:: example-rule
alert smtp any any -> any any (msg:"Test mime email cc"; :example-rule-emphasis:`email.cc; content:"Emily <emily.roberts@example.com>, Ava <ava.johnson@example.com>, Sophia Wilson <sophia.wilson@example.com>";` sid:1;)
email.date
----------
Matches the MIME ``Date`` field of an email.
Comparison is case-sensitive.
Syntax::
email.date; content:"<content to match against>";
``email.date`` is a 'sticky buffer' and can be used as a ``fast_pattern``.
This keyword maps to the EVE field ``email.date``
Example
^^^^^^^
Example of a signature that would alert if a packet contains the MIME field ``date`` with the value ``Fri, 21 Apr 2023 05:10:36 +0000``
.. container:: example-rule
alert smtp any any -> any any (msg:"Test mime email date"; :example-rule-emphasis:`email.date; content:"Fri, 21 Apr 2023 05:10:36 +0000";` sid:1;)
email.message_id
----------------
Matches the MIME ``Message-Id`` field of an email.
Comparison is case-sensitive.
Syntax::
email.message_id; content:"<content to match against>";
``email.message_id`` is a 'sticky buffer' and can be used as a ``fast_pattern``.
This keyword maps to the EVE field ``email.message_id``
Example
^^^^^^^
Example of a signature that would alert if a packet contains the MIME field ``message id`` with the value ``<alpine.DEB.2.00.1311261630120.9535@sd-26634.dedibox.fr>``
.. container:: example-rule
alert smtp any any -> any any (msg:"Test mime email message id"; :example-rule-emphasis:`email.message_id; content:"<alpine.DEB.2.00.1311261630120.9535@sd-26634.dedibox.fr>";` sid:1;)
email.x_mailer
--------------
Matches the MIME ``X-Mailer`` field of an email.
Comparison is case-sensitive.
Syntax::
email.x_mailer; content:"<content to match against>";
``email.x_mailer`` is a 'sticky buffer' and can be used as a ``fast_pattern``.
This keyword maps to the EVE field ``email.x_mailer``
Example
^^^^^^^
Example of a signature that would alert if a packet contains the MIME field ``x-mailer`` with the value ``Microsoft Office Outlook, Build 11.0.5510``
.. container:: example-rule
alert smtp any any -> any any (msg:"Test mime email x-mailer"; :example-rule-emphasis:`email.x_mailer; content:"Microsoft Office Outlook, Build 11.0.5510";` sid:1;)
email.url
---------
Matches ``URL`` extracted of an email.
Comparison is case-sensitive.
Syntax::
email.url; content:"<content to match against>";
``email.url`` is a 'sticky buffer' and can be used as a ``fast_pattern``.
``email.url`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
This keyword maps to the EVE field ``email.url[]``
Example
^^^^^^^
Example of a signature that would alert if an email contains the ``url`` ``test-site.org/blah/123/``.
.. container:: example-rule
alert smtp any any -> any any (msg:"Test mime email url"; :example-rule-emphasis:`email.url; content:"test-site.org/blah/123/";` sid:1;)
email.received
--------------
Matches ``Received`` field of an email.
Comparison is case-sensitive.
Syntax::
email.received; content:"<content to match against>";
``email.received`` is a 'sticky buffer' and can be used as a ``fast_pattern``.
``email.received`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
This keyword maps to the EVE field ``email.received[]``
Example
^^^^^^^
Example of a signature that would alert if a packet contains the MIME field ``received`` with the value ``from [65.201.218.30] (helo=COZOXORY.club)by 173-66-46-112.wash.fios.verizon.net with esmtpa (Exim 4.86)(envelope-from )id 71cF63a9for mirjam@abrakadabra.ch; Mon, 29 Jul 2019 17:01:45 +0000``
.. container:: example-rule
alert smtp any any -> any any (msg:"Test mime email received"; :example-rule-emphasis:`email.received; content:"from [65.201.218.30] (helo=COZOXORY.club)by 173-66-46-112.wash.fios.verizon.net with esmtpa (Exim 4.86)(envelope-from )id 71cF63a9for mirjam@abrakadabra.ch\; Mon, 29 Jul 2019 17:01:45 +0000";` sid:1;)
Reference in New Issue View Git Blame Copy Permalink