16.3.15. SMTP

SMTP transaction details are exposed to Lua scripts with the suricata.smtp library, for example:

local smtp = require("suricata.smtp")

16.3.15.1. Setup

If your purpose is to create a logging script, initialize the buffer as:

function init (args)
   local needs = {}
   needs["protocol"] = "smtp"
   return needs
end

Otherwise if a detection script:

function init (args)
  return {}
end

16.3.15.2. API

16.3.15.2.1. Transaction

SMTP is transaction based, and the current transaction must be obtained before use:

local tx, err = smtp.get_tx()
if tx == nil then
    print(err)
end

All other functions are methods on the transaction table.

16.3.15.2.2. Transaction Methods

16.3.15.2.2.1. get_mime_field(name)

Get a specific MIME header field by name from the SMTP transaction.

Example:

local tx = smtp.get_tx()
local encoding = tx:get_mime_field("Content-Transfer-Encoding")
if encoding ~= nil then
    print("Encoding: " .. subject)
end

16.3.15.2.2.2. get_mime_list()

Get all the MIME header field names from the SMTP transaction as a table.

Example:

local tx = smtp.get_tx()
local mime_fields = tx:get_mime_list()
if mime_fields ~= nil then
    for i, name in pairs(mime_fields) do
        local value = tx:get_mime_field(name)
        print(name .. ": " .. value)
    end
end

16.3.15.2.2.3. get_mail_from()

Get the sender email address from the MAIL FROM command.

Example:

local tx = smtp.get_tx()
local mail_from = tx:get_mail_from()
if mail_from ~= nil then
    print("Sender: " .. mail_from)
end

16.3.15.2.2.4. get_rcpt_list()

Get all recipient email addresses from RCPT TO commands as a table.

Example:

local tx = smtp.get_tx()
local recipients = tx:get_rcpt_list()
if recipients ~= nil then
    for i, recipient in pairs(recipients) do
        print("Recipient " .. i .. ": " .. recipient)
    end
end