8.56. Email Keywords

8.56.1. email.from

Matches the MIME From field of an email.

Comparison is case-sensitive.

Syntax:

email.from; content:"<content to match against>";

email.from is a 'sticky buffer' and can be used as a fast_pattern.

This keyword maps to the EVE field email.from

8.56.1.1. Example

Example of a signature that would alert if a packet contains the MIME field from with the value toto <toto@gmail.com>

alert smtp any any -> any any (msg:"Test mime email from"; email.from; content:"toto <toto@gmail.com>"; sid:1;)

8.56.2. email.subject

Matches the MIME Subject field of an email.

Comparison is case-sensitive.

Syntax:

email.subject; content:"<content to match against>";

email.subject is a 'sticky buffer' and can be used as a fast_pattern.

This keyword maps to the EVE field email.subject

8.56.2.1. Example

Example of a signature that would alert if a packet contains the MIME field subject with the value This is a test email

alert smtp any any -> any any (msg:"Test mime email subject"; email.subject; content:"This is a test email"; sid:1;)

8.56.3. email.to

Matches the MIME To field of an email.

Comparison is case-sensitive.

Syntax:

email.to; content:"<content to match against>";

email.to is a 'sticky buffer' and can be used as a fast_pattern.

This keyword maps to the EVE field email.to

8.56.3.1. Example

Example of a signature that would alert if a packet contains the MIME field to with the value 172.16.92.2@linuxbox

alert smtp any any -> any any (msg:"Test mime email to"; email.to; content:"172.16.92.2@linuxbox"; sid:1;)

8.56.4. email.cc

Matches the MIME Cc field of an email.

Comparison is case-sensitive.

Syntax:

email.cc; content:"<content to match against>";

email.cc is a 'sticky buffer' and can be used as a fast_pattern.

This keyword maps to the EVE field email.cc[]

8.56.4.1. Example

Example of a signature that would alert if a packet contains the MIME field cc with the value Emily <emily.roberts@example.com>, Ava <ava.johnson@example.com>, Sophia Wilson <sophia.wilson@example.com>

alert smtp any any -> any any (msg:"Test mime email cc"; email.cc; content:"Emily <emily.roberts@example.com>, Ava <ava.johnson@example.com>, Sophia Wilson <sophia.wilson@example.com>"; sid:1;)

8.56.5. email.date

Matches the MIME Date field of an email.

Comparison is case-sensitive.

Syntax:

email.date; content:"<content to match against>";

email.date is a 'sticky buffer' and can be used as a fast_pattern.

This keyword maps to the EVE field email.date

8.56.5.1. Example

Example of a signature that would alert if a packet contains the MIME field date with the value Fri, 21 Apr 2023 05:10:36 +0000

alert smtp any any -> any any (msg:"Test mime email date"; email.date; content:"Fri, 21 Apr 2023 05:10:36 +0000"; sid:1;)

8.56.6. email.message_id

Matches the MIME Message-Id field of an email.

Comparison is case-sensitive.

Syntax:

email.message_id; content:"<content to match against>";

email.message_id is a 'sticky buffer' and can be used as a fast_pattern.

This keyword maps to the EVE field email.message_id

8.56.6.1. Example

Example of a signature that would alert if a packet contains the MIME field message id with the value <alpine.DEB.2.00.1311261630120.9535@sd-26634.dedibox.fr>

alert smtp any any -> any any (msg:"Test mime email message id"; email.message_id; content:"<alpine.DEB.2.00.1311261630120.9535@sd-26634.dedibox.fr>"; sid:1;)

8.56.7. email.x_mailer

Matches the MIME X-Mailer field of an email.

Comparison is case-sensitive.

Syntax:

email.x_mailer; content:"<content to match against>";

email.x_mailer is a 'sticky buffer' and can be used as a fast_pattern.

This keyword maps to the EVE field email.x_mailer

8.56.7.1. Example

Example of a signature that would alert if a packet contains the MIME field x-mailer with the value Microsoft Office Outlook, Build 11.0.5510

alert smtp any any -> any any (msg:"Test mime email x-mailer"; email.x_mailer; content:"Microsoft Office Outlook, Build 11.0.5510"; sid:1;)

8.56.8. email.url

Matches URL extracted of an email.

Comparison is case-sensitive.

Syntax:

email.url; content:"<content to match against>";

email.url is a 'sticky buffer' and can be used as a fast_pattern.

email.url supports multiple buffer matching, see Multiple Buffer Matching.

This keyword maps to the EVE field email.url[]

8.56.8.1. Example

Example of a signature that would alert if an email contains the url test-site.org/blah/123/.

alert smtp any any -> any any (msg:"Test mime email url"; email.url; content:"test-site.org/blah/123/"; sid:1;)

8.56.9. email.received

Matches Received field of an email.

Comparison is case-sensitive.

Syntax:

email.received; content:"<content to match against>";

email.received is a 'sticky buffer' and can be used as a fast_pattern.

email.received supports multiple buffer matching, see Multiple Buffer Matching.

This keyword maps to the EVE field email.received[]

8.56.9.1. Example

Example of a signature that would alert if a packet contains the MIME field received with the value from [65.201.218.30] (helo=COZOXORY.club)by 173-66-46-112.wash.fios.verizon.net with esmtpa (Exim 4.86)(envelope-from )id 71cF63a9for mirjam@abrakadabra.ch; Mon, 29 Jul 2019 17:01:45 +0000

alert smtp any any -> any any (msg:"Test mime email received"; email.received; content:"from [65.201.218.30] (helo=COZOXORY.club)by 173-66-46-112.wash.fios.verizon.net with esmtpa (Exim 4.86)(envelope-from )id 71cF63a9for mirjam@abrakadabra.ch; Mon, 29 Jul 2019 17:01:45 +0000"; sid:1;)