8.37. SMTP Keywords

8.37.1. file.name

The file.name keyword can be used at the SMTP application level.

Signature Example:

alert smtp any any -> any any (msg:"SMTP file.name usage"; file.name; content:"winmail.dat"; classtype:bad-unknown; sid:1; rev:1;)

For additional information on the file.name keyword, see File Keywords.

8.37.2. smtp.helo

SMTP helo is the parameter passed to the first HELO command from the client. This keyword matches per transaction, so it can match more than once per flow, even if the helo occured only once at the beginning of the flow.

Syntax:

smtp.helo; content:"localhost";

Signature example:

alert smtp any any -> any any (msg:"SMTP helo localhost"; smtp.helo; content:"localhost"; sid:2; rev:1;)

smtp.helo is a 'sticky buffer'.

smtp.helo can be used as fast_pattern.

This keyword maps to the eve.json log field smtp.helo

8.37.3. smtp.mail_from

SMTP mail from is the parameter passed to the first MAIL FROM command from the client.

Syntax:

smtp.mail_from; content:"spam";

Signature example:

alert smtp any any -> any any (msg:"SMTP mail from spam"; smtp.mail_from; content:"spam"; sid:2; rev:1;)

smtp.mail_from is a 'sticky buffer'.

smtp.mail_from can be used as fast_pattern.

This keyword maps to the eve.json log field smtp.mail_from

8.37.4. smtp.rcpt_to

SMTP rcpt to is the one of the parameters passed to one RCPT TO command from the client.

Syntax:

smtp.rcpt_to; content:"sensitive@target";

Signature example:

alert smtp any any -> any any (msg:"SMTP rcpt to sensitive"; smtp.rcpt_to; content:"sensitive@target"; sid:2; rev:1;)

smtp.rcpt_to is a 'sticky buffer'.

smtp.rcpt_to is a 'multi buffer'.

smtp.rcpt_to can be used as fast_pattern.

This keyword maps to the eve.json log field smtp.rcpt_to[]

8.37.5. Frames

The SMTP parser supports the following frames:

  • smtp.command_line

  • smtp.response_line

  • smtp.data

  • smtp.stream

8.37.5.1. smtp.command_line

A single line from the client to the server. Multi-line commands will have a frame per line. Lines part of the SMTP DATA transfer are excluded.

alert smtp any any -> any any ( frame:smtp.command_line; content:"MAIL|20|FROM:"; startswith; sid:1;)

8.37.5.2. smtp.response_line

A single line from the server to the client. Multi-line commands will have a frame per line.

alert smtp any any -> any any ( frame:smtp.response_line; content:"354 go ahead"; startswith; sid:1;)

8.37.5.3. smtp.data

A streaming buffer containing the DATA bytes sent from client to server.

alert smtp any any -> any any ( frame:smtp.data; content:"Reply-To:"; startswith; content:"Subject"; distance:0; sid:1;)

8.37.5.4. smtp.stream

Streaming buffer of the entire TCP data for the SMTP session.

alert smtp any any -> any any (flow:to_client; frame:smtp.stream; content:"250 ok|0d 0a|354 go ahead"; sid:1;)