New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rare occurances of incorrect fields filled in SMTP log record #254

Open
initconf opened this Issue Jan 24, 2019 · 0 comments

Comments

Projects
None yet
2 participants
@initconf
Copy link

initconf commented Jan 24, 2019

This is quite rare occurrence and I am not exactly sure how to replicate it either.

I have noticed that there are rare times when two different emails are combined into one single SMTP record. I base this on the fact that I verified that emails were different using timemachine captures.

the incorrect SMTP log records sender of one email populated with recipients of one (or both) emails - then subject of one of the emails (generally the first one).

My hypothesis is that there might be packet drops resulting in zeek not understanding that these are two different emails on same TCP stream - but I speculate.

I will try to figure out a way to reproduce this and/or see if I can help further with zero'ing on the specifics of the issue. (Sorry this is a bit generic )

Message me offline and I can send you exact log entries if desired.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment