Suricata : How to detect IMAP data

tanya · January 3, 2022, 9:02am

Hi,
Anyone has any idea if there is anyway for suricata to detect IMAP data? Does suricata support alert “imap” or is there a way for us to capture the imap related packets?

alert imap any any <> any any (content: “Begin compression”; nocase; sid: 1000001; rev: 1; msg: “Keyword compression found”

i saw some similar question posted via the following links but would like to check if there is any further updates on this?

How to detect POP3 & IMAP?

Many thanks in advance

ics_wong · January 4, 2022, 9:12am

I developed it myself

bsmith · January 5, 2022, 3:30pm

alert imap is supported
https://suricata.readthedocs.io/en/suricata-6.0.3/rules/intro.html?highlight=IMAP#protocol

Topic		Replies	Views
How to detect POP3 & IMAP? Help	4	2748	August 29, 2021
Most simple rule with "content" keyword doesn't work Rules rules , suricata	1	101	July 31, 2024
Can't detect AMQ message Help	3	669	March 11, 2021
Suricata not trigger Alert via file Pcap record from Wireshark Help	5	1002	June 8, 2023
Some match bypass? Rules rules	27	1960	September 17, 2021

Suricata : How to detect IMAP data

Related topics