Hi Suricata Folks,
is there any reason why Suricata does have an app-layer parser / protocol support for SMTP, but no SMTP keywords are available for use in rules?
We want to create some custom ruleset matching malicious e-mail addresses, but we are not able to find any appropriate keyword matching MAIL FROM: <address> as a buffer in the current documentation.
This question is regarding Suricata 6.x.
Thanks for your answers 
Andreas
I guess there was no one adding this type of keyword/feature. In addition to that you can create it with content and pcre as well (seen that in rulesets). Feel free to add a feature request to redmine and add more use cases if you have some more in mind.
Thanks for the quick reply 
I created a feature request ticket in Remine with some use cases:
Feature #6198: Feature Request: Add “SMTP” keywords for use in rules - Suricata - Open Information Security Foundation (openinfosecfoundation.org)