8. Suricata Rules

• 8.1. Rules Format
  • 8.1.1. Action
  • 8.1.2. Protocol
  • 8.1.3. Source and destination
  • 8.1.4. Ports (source and destination)
  • 8.1.5. Direction
    • 8.1.5.1. Transactional rules
  • 8.1.6. Rule options
    • 8.1.6.1. Disabling Alerts
    • 8.1.6.2. Modifier Keywords
    • 8.1.6.3. Normalized Buffers
• 8.2. Meta Keywords
  • 8.2.1. msg (message)
  • 8.2.2. sid (signature ID)
  • 8.2.3. rev (revision)
  • 8.2.4. gid (group ID)
  • 8.2.5. classtype
  • 8.2.6. reference
  • 8.2.7. priority
  • 8.2.8. metadata
  • 8.2.9. target
  • 8.2.10. requires
• 8.3. IP Keywords
  • 8.3.1. ttl
  • 8.3.2. ipopts
  • 8.3.3. sameip
  • 8.3.4. ip_proto
  • 8.3.5. ipv4.hdr
  • 8.3.6. ipv6.hdr
  • 8.3.7. id
  • 8.3.8. geoip
  • 8.3.9. fragbits (IP fragmentation)
  • 8.3.10. fragoffset
  • 8.3.11. tos
• 8.4. TCP keywords
  • 8.4.1. tcp.flags
  • 8.4.2. seq
  • 8.4.3. ack
  • 8.4.4. window
  • 8.4.5. tcp.mss
  • 8.4.6. tcp.hdr
• 8.5. UDP keywords
  • 8.5.1. udp.hdr
• 8.6. ICMP keywords
  • 8.6.1. itype
  • 8.6.2. icode
  • 8.6.3. icmp_id
  • 8.6.4. icmp_seq
  • 8.6.5. icmpv4.hdr
  • 8.6.6. icmpv6.hdr
  • 8.6.7. icmpv6.mtu
• 8.7. Payload Keywords
  • 8.7.1. content
  • 8.7.2. nocase
  • 8.7.3. depth
  • 8.7.4. startswith
  • 8.7.5. endswith
  • 8.7.6. offset
  • 8.7.7. distance
  • 8.7.8. within
  • 8.7.9. rawbytes
  • 8.7.10. isdataat
  • 8.7.11. absent
  • 8.7.12. bsize
  • 8.7.13. dsize
  • 8.7.14. byte_test
  • 8.7.15. byte_math
  • 8.7.16. byte_jump
  • 8.7.17. byte_extract
  • 8.7.18. entropy
  • 8.7.19. rpc
  • 8.7.20. replace
  • 8.7.21. pcre (Perl Compatible Regular Expressions)
    • 8.7.21.1. Suricata's modifiers
    • 8.7.21.2. Changes from PCRE1 to PCRE2
• 8.8. Integer Keywords
  • 8.8.1. Comparison modes
  • 8.8.2. Enumerations
  • 8.8.3. Bitmasks
• 8.9. Transformations
  • 8.9.1. dotprefix
  • 8.9.2. domain
  • 8.9.3. tld
  • 8.9.4. strip_whitespace
  • 8.9.5. compress_whitespace
  • 8.9.6. to_lowercase
  • 8.9.7. to_md5
  • 8.9.8. to_uppercase
  • 8.9.9. to_sha1
  • 8.9.10. to_sha256
  • 8.9.11. pcrexform
  • 8.9.12. url_decode
  • 8.9.13. xor
  • 8.9.14. header_lowercase
  • 8.9.15. strip_pseudo_headers
  • 8.9.16. from_base64
• 8.10. Prefiltering Keywords
  • 8.10.1. fast_pattern
    • 8.10.1.1. Suricata Fast Pattern Determination Explained
      • 8.10.1.1.1. Appendices
        • 8.10.1.1.1.1. Appendix A - Pattern Strength Algorithm
    • 8.10.1.2. fast_pattern:only
    • 8.10.1.3. fast_pattern:'chop'
  • 8.10.2. prefilter
• 8.11. Flow Keywords
  • 8.11.1. flowbits
  • 8.11.2. flow
  • 8.11.3. flowint
  • 8.11.4. stream_size
  • 8.11.5. flow.age
  • 8.11.6. flow.pkts
  • 8.11.7. flow.bytes
• 8.12. Bypass Keyword
  • 8.12.1. bypass
• 8.13. HTTP Keywords
  • 8.13.1. HTTP Primer
  • 8.13.2. Normalization
    • 8.13.2.1. Duplicate Header Names
  • 8.13.3. file.name
  • 8.13.4. http.accept
  • 8.13.5. http.accept_enc
  • 8.13.6. http.accept_lang
  • 8.13.7. http.host
  • 8.13.8. http.host.raw
  • 8.13.9. http.method
  • 8.13.10. http.referer
  • 8.13.11. http.request_body
  • 8.13.12. http.request_header
  • 8.13.13. http.request_line
  • 8.13.14. http.uri
  • 8.13.15. http.uri.raw
  • 8.13.16. http.user_agent
  • 8.13.17. urilen
  • 8.13.18. http.location
  • 8.13.19. http.response_body
  • 8.13.20. http.response_header
  • 8.13.21. http.response_line
  • 8.13.22. http.server
  • 8.13.23. http.stat_code
  • 8.13.24. http.stat_msg
  • 8.13.25. file.data
  • 8.13.26. http.connection
  • 8.13.27. http.content_len
  • 8.13.28. http.content_type
  • 8.13.29. http.cookie
  • 8.13.30. http.header
  • 8.13.31. http.header.raw
  • 8.13.32. http.header_names
  • 8.13.33. http.protocol
  • 8.13.34. http.start
• 8.14. File Keywords
  • 8.14.1. file.data
  • 8.14.2. file.name
  • 8.14.3. fileext
  • 8.14.4. file.magic
  • 8.14.5. filestore
  • 8.14.6. filemd5
  • 8.14.7. filesha1
  • 8.14.8. filesha256
  • 8.14.9. filesize
• 8.15. DNS Keywords
  • 8.15.1. dns.opcode
    • 8.15.1.1. Syntax
    • 8.15.1.2. Examples
  • 8.15.2. dns.rcode
    • 8.15.2.1. Syntax
    • 8.15.2.2. Examples
  • 8.15.3. dns.rrtype
    • 8.15.3.1. Syntax
    • 8.15.3.2. Examples
  • 8.15.4. dns.query
    • 8.15.4.1. Normalized Buffer
  • 8.15.5. dns.queries.rrname
  • 8.15.6. dns.answers.rrname
  • 8.15.7. dns.authorities.rrname
  • 8.15.8. dns.additionals.rrname
  • 8.15.9. dns.response.rrname
• 8.16. SSL/TLS Keywords
  • 8.16.1. tls.cert_subject
    • 8.16.1.1. tls.subject
  • 8.16.2. tls.cert_issuer
    • 8.16.2.1. tls.issuerdn
  • 8.16.3. tls.cert_serial
  • 8.16.4. tls.cert_fingerprint
  • 8.16.5. tls.sni
  • 8.16.6. tls.subjectaltname
  • 8.16.7. tls_cert_notbefore
  • 8.16.8. tls_cert_notafter
  • 8.16.9. tls_cert_expired
  • 8.16.10. tls_cert_valid
  • 8.16.11. tls.certs
  • 8.16.12. tls.version
  • 8.16.13. ssl_version
  • 8.16.14. tls.fingerprint
  • 8.16.15. tls.store
  • 8.16.16. ssl_state
  • 8.16.17. tls.random
  • 8.16.18. tls.random_time
  • 8.16.19. tls.random_bytes
  • 8.16.20. tls.cert_chain_len
  • 8.16.21. tls.alpn
• 8.17. SSH Keywords
  • 8.17.1. Hooks
  • 8.17.2. Frames
  • 8.17.3. ssh.proto
  • 8.17.4. ssh.software
  • 8.17.5. ssh.hassh
  • 8.17.6. ssh.hassh.string
  • 8.17.7. ssh.hassh.server
  • 8.17.8. ssh.hassh.server.string
• 8.18. JA3/JA4 Keywords
  • 8.18.1. ja3.hash
  • 8.18.2. ja3.string
  • 8.18.3. ja3s.hash
  • 8.18.4. ja3s.string
  • 8.18.5. ja4.hash
• 8.19. Modbus Keyword
• 8.20. DCERPC Keywords
  • 8.20.1. dcerpc.iface
  • 8.20.2. dcerpc.opnum
  • 8.20.3. dcerpc.stub_data
  • 8.20.4. Additional information
• 8.21. DHCP keywords
  • 8.21.1. dhcp.leasetime
  • 8.21.2. dhcp.rebinding_time
  • 8.21.3. dhcp.renewal_time
• 8.22. DNP3 Keywords
  • 8.22.1. dnp3_func
    • 8.22.1.1. Syntax
  • 8.22.2. dnp3_ind
    • 8.22.2.1. Syntax
    • 8.22.2.2. Examples
  • 8.22.3. dnp3_obj
    • 8.22.3.1. Syntax
  • 8.22.4. dnp3_data
    • 8.22.4.1. Syntax
    • 8.22.4.2. Example
• 8.23. ENIP/CIP Keywords
  • 8.23.1. enip_command
  • 8.23.2. cip_service
  • 8.23.3. enip.status
  • 8.23.4. enip.protocol_version
  • 8.23.5. enip.cip_attribute
  • 8.23.6. enip.cip_instance
  • 8.23.7. enip.cip_class
  • 8.23.8. enip.cip_extendedstatus
  • 8.23.9. enip.revision
  • 8.23.10. enip.identity_status
  • 8.23.11. enip.state
  • 8.23.12. enip.serial
  • 8.23.13. enip.product_code
  • 8.23.14. enip.device_type
  • 8.23.15. enip.vendor_id
  • 8.23.16. enip.product_name
  • 8.23.17. enip.service_name
  • 8.23.18. enip.capabilities
  • 8.23.19. enip.cip_status
• 8.24. FTP/FTP-DATA Keywords
  • 8.24.1. ftpdata_command
  • 8.24.2. ftpbounce
  • 8.24.3. file.name
  • 8.24.4. ftp.command
  • 8.24.5. ftp.command_data
  • 8.24.6. ftp.dynamic_port
  • 8.24.7. ftp.reply
• 8.25. Kerberos Keywords
  • 8.25.1. krb5_msg_type
  • 8.25.2. krb5_cname
  • 8.25.3. krb5_sname
  • 8.25.4. krb5_err_code
  • 8.25.5. krb5.weak_encryption (event)
  • 8.25.6. krb5.malformed_data (event)
  • 8.25.7. krb5.ticket_encryption
• 8.26. SMB Keywords
  • 8.26.1. smb.named_pipe
  • 8.26.2. smb.share
  • 8.26.3. smb.ntlmssp_user
  • 8.26.4. smb.ntlmssp_domain
  • 8.26.5. smb.version
    • 8.26.5.1. Matching in transition from SMBv1 to SMBv2
    • 8.26.5.2. Will smb.version match SMBv3 traffic?
  • 8.26.6. file.name
• 8.27. SNMP keywords
  • 8.27.1. snmp.version
  • 8.27.2. snmp.community
  • 8.27.3. snmp.usm
  • 8.27.4. snmp.pdu_type
• 8.28. Base64 keywords
  • 8.28.1. base64_decode
  • 8.28.2. base64_data
  • 8.28.3. Example
• 8.29. SIP Keywords
  • 8.29.1. sip.method
    • 8.29.1.1. Syntax
    • 8.29.1.2. Examples
  • 8.29.2. sip.uri
    • 8.29.2.1. Syntax
    • 8.29.2.2. Examples
  • 8.29.3. sip.request_line
    • 8.29.3.1. Syntax
    • 8.29.3.2. Examples
  • 8.29.4. sip.stat_code
    • 8.29.4.1. Syntax
    • 8.29.4.2. Examples
  • 8.29.5. sip.stat_msg
    • 8.29.5.1. Syntax
    • 8.29.5.2. Examples
  • 8.29.6. sip.response_line
    • 8.29.6.1. Syntax
    • 8.29.6.2. Examples
  • 8.29.7. sip.protocol
    • 8.29.7.1. Syntax
    • 8.29.7.2. Example
  • 8.29.8. sip.from
    • 8.29.8.1. Syntax
    • 8.29.8.2. Example
  • 8.29.9. sip.to
    • 8.29.9.1. Syntax
    • 8.29.9.2. Example
  • 8.29.10. sip.via
    • 8.29.10.1. Syntax
    • 8.29.10.2. Example
  • 8.29.11. sip.user_agent
    • 8.29.11.1. Syntax
    • 8.29.11.2. Example
  • 8.29.12. sip.content_type
    • 8.29.12.1. Syntax
    • 8.29.12.2. Example
  • 8.29.13. sip.content_length
    • 8.29.13.1. Syntax
    • 8.29.13.2. Example
• 8.30. SDP Keywords
  • 8.30.1. sdp.origin
    • 8.30.1.1. Syntax
    • 8.30.1.2. Examples
  • 8.30.2. sdp.session_name
    • 8.30.2.1. Syntax
    • 8.30.2.2. Examples
  • 8.30.3. sdp.session_info
    • 8.30.3.1. Syntax
    • 8.30.3.2. Examples
  • 8.30.4. sdp.uri
    • 8.30.4.1. Syntax
    • 8.30.4.2. Examples
  • 8.30.5. sdp.email
    • 8.30.5.1. Syntax
    • 8.30.5.2. Examples
  • 8.30.6. sdp.phone_number
    • 8.30.6.1. Syntax
    • 8.30.6.2. Examples
  • 8.30.7. sdp.connection_data
    • 8.30.7.1. Syntax
    • 8.30.7.2. Examples
  • 8.30.8. sdp.bandwidth
    • 8.30.8.1. Syntax
    • 8.30.8.2. Example
  • 8.30.9. sdp.time
    • 8.30.9.1. Syntax
    • 8.30.9.2. Example
  • 8.30.10. sdp.repeat_time
    • 8.30.10.1. Syntax
    • 8.30.10.2. Example
  • 8.30.11. sdp.timezone
    • 8.30.11.1. Syntax
    • 8.30.11.2. Example
  • 8.30.12. sdp.encryption_key
    • 8.30.12.1. Syntax
    • 8.30.12.2. Example
  • 8.30.13. sdp.attribute
    • 8.30.13.1. Syntax
    • 8.30.13.2. Example
  • 8.30.14. sdp.media.media
    • 8.30.14.1. Syntax
    • 8.30.14.2. Example
  • 8.30.15. sdp.media.session_info
    • 8.30.15.1. Syntax
    • 8.30.15.2. Example
  • 8.30.16. sdp.media.connection_data
    • 8.30.16.1. Syntax
    • 8.30.16.2. Example
  • 8.30.17. sdp.media.encryption_key
    • 8.30.17.1. Syntax
    • 8.30.17.2. Example
• 8.31. RFB Keywords
  • 8.31.1. rfb.name
  • 8.31.2. rfb.secresult
  • 8.31.3. rfb.sectype
  • 8.31.4. Additional information
• 8.32. MQTT Keywords
  • 8.32.1. mqtt.protocol_version
  • 8.32.2. mqtt.type
  • 8.32.3. mqtt.flags
  • 8.32.4. mqtt.qos
  • 8.32.5. mqtt.reason_code
  • 8.32.6. mqtt.connack.session_present
  • 8.32.7. mqtt.connect.clientid
  • 8.32.8. mqtt.connect.flags
  • 8.32.9. mqtt.connect.password
  • 8.32.10. mqtt.connect.protocol_string
  • 8.32.11. mqtt.connect.username
  • 8.32.12. mqtt.connect.willmessage
  • 8.32.13. mqtt.connect.willtopic
  • 8.32.14. mqtt.publish.message
  • 8.32.15. mqtt.publish.topic
  • 8.32.16. mqtt.subscribe.topic
  • 8.32.17. mqtt.unsubscribe.topic
  • 8.32.18. Additional information
• 8.33. IKE Keywords
  • 8.33.1. ike.init_spi, ike.resp_spi
  • 8.33.2. ike.chosen_sa_attribute
  • 8.33.3. ike.exchtype
  • 8.33.4. ike.vendor
  • 8.33.5. ike.key_exchange_payload
  • 8.33.6. ike.key_exchange_payload_length
  • 8.33.7. ike.nonce_payload
  • 8.33.8. ike.nonce_payload_length
  • 8.33.9. Additional information
• 8.34. HTTP2 Keywords
  • 8.34.1. Frames
  • 8.34.2. http2.frametype
  • 8.34.3. http2.errorcode
  • 8.34.4. http2.priority
  • 8.34.5. http2.window
  • 8.34.6. http2.size_update
  • 8.34.7. http2.settings
  • 8.34.8. http2.header_name
  • 8.34.9. Additional information
• 8.35. Quic Keywords
  • 8.35.1. quic.cyu.hash
  • 8.35.2. quic.cyu.string
  • 8.35.3. quic.version
  • 8.35.4. Additional information
• 8.36. NFS Keywords
  • 8.36.1. file.name
• 8.37. SMTP Keywords
  • 8.37.1. file.name
  • 8.37.2. smtp.helo
  • 8.37.3. smtp.mail_from
  • 8.37.4. smtp.rcpt_to
  • 8.37.5. Frames
    • 8.37.5.1. smtp.command_line
    • 8.37.5.2. smtp.response_line
    • 8.37.5.3. smtp.data
    • 8.37.5.4. smtp.stream
• 8.38. WebSocket Keywords
  • 8.38.1. websocket.payload
  • 8.38.2. websocket.flags
  • 8.38.3. websocket.mask
  • 8.38.4. websocket.opcode
• 8.39. Generic App Layer Keywords
  • 8.39.1. app-layer-protocol
    • 8.39.1.1. Bail out conditions
  • 8.39.2. app-layer-event
    • 8.39.2.1. Protocol Detection
      • 8.39.2.1.1. applayer_mismatch_protocol_both_directions
      • 8.39.2.1.2. applayer_wrong_direction_first_data
      • 8.39.2.1.3. applayer_detect_protocol_only_one_direction
      • 8.39.2.1.4. applayer_proto_detection_skipped
  • 8.39.3. app-layer-state
• 8.40. Generic Decode Layer Keywords
  • 8.40.1. decode-event
    • 8.40.1.1. Decode Events
      • 8.40.1.1.1. ethernet.unknown_ethertype
• 8.41. Xbits Keyword
  • 8.41.1. Notes
    • 8.41.1.1. YAML settings
    • 8.41.1.2. Threading
    • 8.41.1.3. Unix Socket
    • 8.41.1.4. Examples
      • 8.41.1.4.1. Creating a SSH blacklist
• 8.42. Alert Keywords
  • 8.42.1. noalert
  • 8.42.2. alert
• 8.43. Thresholding Keywords
  • 8.43.1. threshold
    • 8.43.1.1. type "threshold"
    • 8.43.1.2. type "limit"
    • 8.43.1.3. type "both"
    • 8.43.1.4. type "backoff"
    • 8.43.1.5. track
  • 8.43.2. detection_filter
• 8.44. IP Reputation Keyword
  • 8.44.1. iprep
    • 8.44.1.1. isset and isnotset
    • 8.44.1.2. Compatibility with IP-only
• 8.45. IP Addresses Match
  • 8.45.1. ip.src
  • 8.45.2. ip.dst
• 8.46. Config Rules
  • 8.46.1. Keyword
  • 8.46.2. Action
• 8.47. Datasets
  • 8.47.1. Global config (optional)
  • 8.47.2. Rule keywords
    • 8.47.2.1. dataset
    • 8.47.2.2. datarep
  • 8.47.3. Rule Reloads
  • 8.47.4. Unix Socket
    • 8.47.4.1. dataset-add
    • 8.47.4.2. dataset-remove
    • 8.47.4.3. dataset-clear
    • 8.47.4.4. dataset-lookup
    • 8.47.4.5. dataset-dump
  • 8.47.5. File formats
    • 8.47.5.1. data types
    • 8.47.5.2. dataset
    • 8.47.5.3. datarep
  • 8.47.6. File Locations
  • 8.47.7. Security
• 8.48. Lua Scripting for Detection
  • 8.48.1. Init function
  • 8.48.2. Match function
  • 8.48.3. Sandbox and Available functions
• 8.49. Differences From Snort
  • 8.49.1. Automatic Protocol Detection
  • 8.49.2. urilen Keyword
  • 8.49.3. http_uri Buffer
  • 8.49.4. http_header Buffer
  • 8.49.5. http_cookie Buffer
  • 8.49.6. New HTTP keywords
  • 8.49.7. byte_extract Keyword
  • 8.49.8. byte_jump Keyword
  • 8.49.9. byte_math Keyword
  • 8.49.10. byte_test Keyword
  • 8.49.11. isdataat Keyword
  • 8.49.12. Relative PCRE
  • 8.49.13. tls* Keywords
  • 8.49.14. dns_query Keyword
  • 8.49.15. IP Reputation and iprep Keyword
  • 8.49.16. Flowbits
  • 8.49.17. flowbits:noalert;
  • 8.49.18. Negated Content Match Special Case
  • 8.49.19. File Extraction
  • 8.49.20. Lua Scripting
  • 8.49.21. Fast Pattern
  • 8.49.22. Don't Cross The Streams
  • 8.49.23. Alerts
  • 8.49.24. Buffer Reference Chart
• 8.50. Multiple Buffer Matching
• 8.51. Tag
  • 8.51.1. Syntax
  • 8.51.2. Examples
  • 8.51.3. How to Use Tags
    • 8.51.3.1. EVE
    • 8.51.3.2. Conditional PCAP Logging
  • 8.51.4. Tracking by Host/Flow
• 8.52. VLAN Keywords
  • 8.52.1. vlan.id
    • 8.52.1.1. Examples
  • 8.52.2. vlan.layers
    • 8.52.2.1. Examples
• 8.53. LDAP Keywords
  • 8.53.1. LDAP Request and Response operations
  • 8.53.2. ldap.request.operation
    • 8.53.2.1. Examples
  • 8.53.3. ldap.responses.operation
    • 8.53.3.1. Examples
  • 8.53.4. ldap.responses.count
    • 8.53.4.1. Examples
  • 8.53.5. ldap.request.dn
    • 8.53.5.1. Example
  • 8.53.6. ldap.responses.dn
    • 8.53.6.1. Example
  • 8.53.7. ldap.responses.result_code
    • 8.53.7.1. Examples
  • 8.53.8. ldap.responses.message
    • 8.53.8.1. Example
  • 8.53.9. ldap.request.attribute_type
    • 8.53.9.1. Example
  • 8.53.10. ldap.responses.attribute_type
    • 8.53.10.1. Example
• 8.54. Rule Types and Categorization
  • 8.54.1. Signature Properties
    • 8.54.1.1. Signature: Require Real Packet
  • 8.54.2. Signature Types and Variable-like Keywords
    • 8.54.2.1. Flowbits: isset
  • 8.54.3. Signatures per Type
    • 8.54.3.1. Decoder Events Only
      • 8.54.3.1.1. Example
      • 8.54.3.1.2. Engine-Analysis Report
    • 8.54.3.2. Packet
      • 8.54.3.2.1. Examples
      • 8.54.3.2.2. Engine-Analysis Report
    • 8.54.3.3. IP Only
      • 8.54.3.3.1. Examples
      • 8.54.3.3.2. Engine-Analysis Report
    • 8.54.3.4. IP Only (contains negated address)
      • 8.54.3.4.1. Examples
      • 8.54.3.4.2. Engine-Analysis Report
    • 8.54.3.5. Protocol Detection Only
      • 8.54.3.5.1. Examples
      • 8.54.3.5.2. Engine-Analysis Report
    • 8.54.3.6. Packet-Stream
      • 8.54.3.6.1. Examples
      • 8.54.3.6.2. Engine-Analysis Report
    • 8.54.3.7. Stream
      • 8.54.3.7.1. Examples
      • 8.54.3.7.2. Engine-Analysis Report
    • 8.54.3.8. Application Layer Protocol
      • 8.54.3.8.1. Examples
      • 8.54.3.8.2. Engine-Analysis Report
    • 8.54.3.9. Application Layer Protocol Transactions
      • 8.54.3.9.1. Examples
      • 8.54.3.9.2. Engine-Analysis Report
  • 8.54.4. Detailed Flowcharts
    • 8.54.4.1. IP Only and IP Only with negated addresses
    • 8.54.4.2. Protocol Detection Only
    • 8.54.4.3. Application Layer Protocol, Transaction, Packet, Stream and Stream-Packet rules
• 8.55. Email Keywords
  • 8.55.1. email.from
    • 8.55.1.1. Example
  • 8.55.2. email.subject
    • 8.55.2.1. Example
  • 8.55.3. email.to
    • 8.55.3.1. Example
  • 8.55.4. email.cc
    • 8.55.4.1. Example
  • 8.55.5. email.date
    • 8.55.5.1. Example
  • 8.55.6. email.message_id
    • 8.55.6.1. Example
  • 8.55.7. email.x_mailer
    • 8.55.7.1. Example
  • 8.55.8. email.url
    • 8.55.8.1. Example
  • 8.55.9. email.received
    • 8.55.9.1. Example