base/protocols/smtp/main.zeek
- SMTP
- Namespace
SMTP
- Imports
base/frameworks/notice/weird.zeek, base/protocols/conn/removal-hooks.zeek, base/utils/addrs.zeek, base/utils/directions-and-hosts.zeek, base/utils/email.zeek
Summary
Runtime Options
Direction to capture the full “Received from” path. |
|
When seeing a RCPT TO or DATA command, validate that it has been preceded by a MAIL FROM or RCPT TO command, respectively, else log a weird and possibly disable the SMTP analyzer upon too many invalid transactions. |
|
Disable the SMTP analyzer when that many invalid transactions have been observed in an SMTP session. |
Types
Redefinitions
|
|
Events
Hooks
SMTP finalization hook. |
|
Functions
Create an extremely shortened representation of a log line. |
Detailed Interface
Runtime Options
- SMTP::mail_path_capture
-
- Direction to capture the full “Received from” path.
REMOTE_HOSTS - only capture the path until an internal host is found. LOCAL_HOSTS - only capture the path until the external host is discovered. ALL_HOSTS - always capture the entire path. NO_HOSTS - never capture the path.
- SMTP::mail_transaction_validation
-
When seeing a RCPT TO or DATA command, validate that it has been preceded by a MAIL FROM or RCPT TO command, respectively, else log a weird and possibly disable the SMTP analyzer upon too many invalid transactions.
- SMTP::max_invalid_mail_transactions
-
Disable the SMTP analyzer when that many invalid transactions have been observed in an SMTP session.
Types
- SMTP::Info
- Type
-
- ts:
time
&log
Time when the message was first seen.
- uid:
string
&log
Unique ID for the connection.
- id:
conn_id
&log
The connection’s 4-tuple of endpoint addresses/ports.
- trans_depth:
count
&log
A count to represent the depth of this message transaction in a single connection where multiple messages were transferred.
- helo:
string
&log
&optional
Contents of the Helo header.
- mailfrom:
string
&log
&optional
Email addresses found in the From header.
- rcptto:
set
[string
]&log
&optional
Email addresses found in the Rcpt header.
- date:
string
&log
&optional
Contents of the Date header.
- from:
string
&log
&optional
Contents of the From header.
- to:
set
[string
]&log
&optional
Contents of the To header.
- cc:
set
[string
]&log
&optional
Contents of the CC header.
- reply_to:
string
&log
&optional
Contents of the ReplyTo header.
- msg_id:
string
&log
&optional
Contents of the MsgID header.
- in_reply_to:
string
&log
&optional
Contents of the In-Reply-To header.
- subject:
string
&log
&optional
Contents of the Subject header.
- x_originating_ip:
addr
&log
&optional
Contents of the X-Originating-IP header.
- first_received:
string
&log
&optional
Contents of the first Received header.
- second_received:
string
&log
&optional
Contents of the second Received header.
- last_reply:
string
&log
&optional
The last message that the server sent to the client.
- path:
vector
ofaddr
&log
&optional
The message transmission path, as extracted from the headers.
- user_agent:
string
&log
&optional
Value of the User-Agent header from the client.
- tls:
bool
&log
&default
=F
&optional
Indicates that the connection has switched to using TLS.
- process_received_from:
bool
&default
=T
&optional
Indicates if the “Received: from” headers should still be processed.
- has_client_activity:
bool
&default
=F
&optional
Indicates if client activity has been seen, but not yet logged.
- process_smtp_headers:
bool
&default
=T
&optional
Indicates if the SMTP headers should still be processed.
entity_count:
count
&default
=0
&optional
- entity:
SMTP::Entity
&optional
(present if base/protocols/smtp/entities.zeek is loaded)
The current entity being seen.
- fuids:
vector
ofstring
&log
&default
=[]
&optional
(present if base/protocols/smtp/files.zeek is loaded)
An ordered vector of file unique IDs seen attached to the message.
- is_webmail:
bool
&log
&default
=F
&optional
(present if policy/protocols/smtp/software.zeek is loaded)
Boolean indicator of if the message was sent through a webmail interface.
- ts:
- SMTP::State
- Type
-
- messages_transferred:
count
&default
=0
&optional
Count the number of individual messages transmitted during this SMTP session. Note, this is not the number of recipients, but the number of message bodies transferred.
pending_messages:
set
[SMTP::Info
]&optional
trans_mail_from_seen:
bool
&default
=F
&optional
trans_rcpt_to_seen:
bool
&default
=F
&optional
invalid_transactions:
count
&default
=0
&optional
- mime_depth:
count
&default
=0
&optional
(present if base/protocols/smtp/entities.zeek is loaded)
Track the number of MIME encoded files transferred during a session.
- messages_transferred:
Events
- SMTP::log_smtp
- Type
event
(rec:SMTP::Info
)
Hooks
- SMTP::finalize_smtp
- Type
SMTP finalization hook. Remaining SMTP info may get logged when it’s called.
Functions
- SMTP::describe
- Type
function
(rec:SMTP::Info
) :string
Create an extremely shortened representation of a log line.