ZEEK SMTP Header Parsing Issue #1352
Comments
|
Do you by chance have a pcap that illustrates it? That would help in tracking down the issue. |
|
Hi, We have proposed the following changes as explained in the below PR: Please let us know if you still need pcap ? Thanks. |
|
Hi, thanks for the PR. A pcap actually still would be helpful for reproduction - and for inclusion in the testsuite. Alternatively - it would be great if you could add a testcase to the PR :). Thank you very much, |
oakljon
added a commit
to theavgjojo/zeek
that referenced
this issue
Jan 13, 2021
oakljon
added a commit
to theavgjojo/zeek
that referenced
this issue
Jan 13, 2021
theavgjojo
pushed a commit
to theavgjojo/zeek
that referenced
this issue
Jan 21, 2021
oakljon
added a commit
to theavgjojo/zeek
that referenced
this issue
Jan 21, 2021
jsiwek
added a commit
that referenced
this issue
Jan 22, 2021
…ithub.com/theavgjojo/zeek * 'topic/oakljon/gh-1352-smtp-header-parsing' of https://github.com/theavgjojo/zeek: GH-1352: Added flag to stop processing SMTP headers in attached messages
jsiwek
pushed a commit
that referenced
this issue
Jan 22, 2021
messages (cherry picked from commit 25de6f2)
jsiwek
pushed a commit
that referenced
this issue
Feb 16, 2021
messages (cherry picked from commit 25de6f2)
jsiwek
pushed a commit
that referenced
this issue
Feb 16, 2021
messages (cherry picked from commit 25de6f2)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There is an issue with SMTP parsing where header extraction continues parsing into the body and attachments of emails. A common case which leads this issue to surface appears when emails are sent as attachments. If you have an attachment that itself is an email, the headers from the attached email will override headers parsed from the actual email.
This incidentally might be the cause of previously seen issues such as #254.
The text was updated successfully, but these errors were encountered: