Suricata : How to detect IMAP data

tanya · January 3, 2022, 9:02am

Hi,
Anyone has any idea if there is anyway for suricata to detect IMAP data? Does suricata support alert “imap” or is there a way for us to capture the imap related packets?

alert imap any any <> any any (content: “Begin compression”; nocase; sid: 1000001; rev: 1; msg: “Keyword compression found”

i saw some similar question posted via the following links but would like to check if there is any further updates on this?

How to detect POP3 & IMAP?

Many thanks in advance

ics_wong · January 4, 2022, 9:12am

I developed it myself

bsmith · January 5, 2022, 3:30pm

alert imap is supported
https://suricata.readthedocs.io/en/suricata-6.0.3/rules/intro.html?highlight=IMAP#protocol

Topic		Replies	Views
Missing Alert - http.request body (alone) and http.request_body/url_decode in a single rule Rules	2	811	January 4, 2021
Can't detect AMQ message Help	3	611	March 11, 2021
Suricata not trigger Alert via file Pcap record from Wireshark Help	5	711	June 8, 2023
Some match bypass? Rules rules	27	1783	September 17, 2021
Testing ping alert rule Rules suricata	5	3327	July 27, 2022

Suricata : How to detect IMAP data

Related Topics