SMTP - PARSE_ERROR (File extraction bypass)

jiivas · October 16, 2022, 1:23pm

Hello team,

it looks like that suricata is unable to successfully parse emails using the encoding trick from the following site:

and therefore bypassing the file extraction feature.

Flag:
email.status: PARSE_ERROR

I can’t share a corresponding pcap but you can reproduce it with the link above.

I’m running on suricata 6.0.8.

Thanks in advance,
jiivas

sbhardwaj · October 17, 2022, 7:59am

Hello!
Thank you for your report.
I think for any further analysis, we’ll need a pcap. If you cannot share the pcap publicly, you can share it with us on a private channel (email to: shivani@oisf.net) or if not the same pcap some other one that behaves the same way?
Thanks a lot! Sorry for the trouble.

Topic		Replies	Views
Getting errors trying to analyze pcap file in offline mode Help suricata	3	736	April 17, 2023
Creating a custom suricata rule Rules	11	100	October 18, 2024
File extraction based on http/smtp/smb keywords	10	506	May 11, 2023
Suricata cannot read tshark pcap file	2	1574	March 18, 2021
SMTP - extension based file extraction issue Help	1	404	November 17, 2022

SMTP - PARSE_ERROR (File extraction bypass)

Related topics