SMTP - extension based file extraction issue

Hello team,

it looks like the extension based file extraction isn’t working properly when the attachment name field contains additional information like it’s size.
This seems to occur when sending an attachment with a webmailer like roundcube.

email attachment name: “Invoice_0439.img; size=1245184”

suricata rule:
alert smtp $MTA_SERVERS any → $EMAIL_SERVERS any (msg:“HUNTING [SOC] SMTP File Transfer (.img)”; fileext:“img”; classtype:bad-unknown; sid:6910209; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor;)

I’m not sure if this is the expected behaviour or an issue.

It can be worked around using mime type based extraction rules.


This could be counted as a bug. Can you provide a pcap for that, so we could reproduce it and ideally write a suricata-verify test for it?