base/protocols/smtp/main.zeek

SMTP

Namespace:

SMTP

Imports:

base/frameworks/notice/weird.zeek, base/protocols/conn/removal-hooks.zeek, base/utils/addrs.zeek, base/utils/directions-and-hosts.zeek, base/utils/email.zeek

Summary

Runtime Options

SMTP::mail_path_capture: Host &redef	Direction to capture the full “Received from” path.
SMTP::mail_transaction_validation: bool &redef	When seeing a RCPT TO or DATA command, validate that it has been preceded by a MAIL FROM or RCPT TO command, respectively, else log a weird and possibly disable the SMTP analyzer upon too many invalid transactions.
SMTP::max_invalid_mail_transactions: count &redef	Disable the SMTP analyzer when that many invalid transactions have been observed in an SMTP session.

Types

SMTP::Info: record
SMTP::State: record

Redefinitions

Log::ID: enum	SMTP::LOG
connection: record	New Fields: connection smtp: SMTP::Info &optional smtp_state: SMTP::State &optional
likely_server_ports: set &redef

Events

SMTP::log_smtp: event

Hooks

SMTP::finalize_smtp: Conn::RemovalHook	SMTP finalization hook.
SMTP::log_policy: Log::PolicyHook

Functions

SMTP::describe: function

Create an extremely shortened representation of a log line.

Detailed Interface

Runtime Options

SMTP::mail_path_capture

Type:

Host

Attributes:

&redef

Default:

ALL_HOSTS

Direction to capture the full “Received from” path.

REMOTE_HOSTS - only capture the path until an internal host is found. LOCAL_HOSTS - only capture the path until the external host is discovered. ALL_HOSTS - always capture the entire path. NO_HOSTS - never capture the path.

SMTP::mail_transaction_validation

Type:

bool

Attributes:

&redef

Default:

T

When seeing a RCPT TO or DATA command, validate that it has been preceded by a MAIL FROM or RCPT TO command, respectively, else log a weird and possibly disable the SMTP analyzer upon too many invalid transactions.

SMTP::max_invalid_mail_transactions

Type:

count

Attributes:

&redef

Default:

25

Disable the SMTP analyzer when that many invalid transactions have been observed in an SMTP session.

Types

SMTP::Info

Type:

record

Fields:

ts: time &log

Time when the message was first seen.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

trans_depth: count &log

A count to represent the depth of this message transaction in a single connection where multiple messages were transferred.

helo: string &log &optional

Contents of the Helo header.

mailfrom: string &log &optional

Email addresses found in the From header.

rcptto: set [string] &log &optional

Email addresses found in the Rcpt header.

date: string &log &optional

Contents of the Date header.

from: string &log &optional

Contents of the From header.

to: set [string] &log &optional

Contents of the To header.

cc: set [string] &log &optional

Contents of the CC header.

reply_to: string &log &optional

Contents of the ReplyTo header.

msg_id: string &log &optional

Contents of the MsgID header.

in_reply_to: string &log &optional

Contents of the In-Reply-To header.

subject: string &log &optional

Contents of the Subject header.

x_originating_ip: addr &log &optional

Contents of the X-Originating-IP header.

first_received: string &log &optional

Contents of the first Received header.

second_received: string &log &optional

Contents of the second Received header.

last_reply: string &log &optional

The last message that the server sent to the client.

path: vector of addr &log &optional

The message transmission path, as extracted from the headers.

user_agent: string &log &optional

Value of the User-Agent header from the client.

tls: bool &log &default = F &optional

Indicates that the connection has switched to using TLS.

process_received_from: bool &default = T &optional

Indicates if the “Received: from” headers should still be processed.

has_client_activity: bool &default = F &optional

Indicates if client activity has been seen, but not yet logged.

process_smtp_headers: bool &default = T &optional

Indicates if the SMTP headers should still be processed.

entity_count: count &default = 0 &optional

entity: SMTP::Entity &optional

(present if base/protocols/smtp/entities.zeek is loaded)

The current entity being seen.

fuids: vector of string &log &default = [] &optional

(present if base/protocols/smtp/files.zeek is loaded)

An ordered vector of file unique IDs seen attached to the message.

rfc822_msg_fuid: string &optional

(present if base/protocols/smtp/files.zeek is loaded)

Tracks the fuid of the top-level RFC822 mail message if SMTP::enable_rfc822_msg_file_analysis is set.

is_webmail: bool &log &default = F &optional

(present if policy/protocols/smtp/software.zeek is loaded)

Boolean indicator of if the message was sent through a webmail interface.

SMTP::State

Type:

record

Fields:

helo: string &optional

messages_transferred: count &default = 0 &optional

Count the number of individual messages transmitted during this SMTP session. Note, this is not the number of recipients, but the number of message bodies transferred.

pending_messages: set [SMTP::Info] &optional

trans_mail_from_seen: bool &default = F &optional

trans_rcpt_to_seen: bool &default = F &optional

invalid_transactions: count &default = 0 &optional

bdat_last_observed: bool &default = F &optional

analyzer_id: count &optional

mime_depth: count &default = 0 &optional

(present if base/protocols/smtp/entities.zeek is loaded)

Track the number of MIME encoded files transferred during a session.

Events

SMTP::log_smtp

Type:

event (rec: SMTP::Info)

Hooks

SMTP::finalize_smtp

Type:

Conn::RemovalHook

SMTP finalization hook. Remaining SMTP info may get logged when it’s called.

SMTP::log_policy

Type:

Log::PolicyHook

Functions

SMTP::describe

Type:

function (rec: SMTP::Info) : string

Create an extremely shortened representation of a log line.