-
Notifications
You must be signed in to change notification settings - Fork 43
/
README.imap
171 lines (131 loc) · 7.47 KB
/
README.imap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
IMAP
====
-- Overview --
IMAP is an IMAP4 decoder for user applications. Given a data buffer,
IMAP will decode the buffer and find IMAP4 commands and responses.
It will also mark the command, data header data body sections and
extract the IMAP4 attachments and decode it appropriately.
IMAP will handle stateful processing. It saves state between individual
packets. However maintaining correct state is dependent on the reassembly
of the server side of the stream (i.e., a loss of coherent stream data results
in a loss of state).
Stream5 should be turned on for IMAP. Please ensure that the IMAP ports are added
to the stream5 ports for proper reassembly.
-- Configuration --
The configuration options are described below:
* ports { port [port] ... } *
This specifies on what ports to check for IMAP data. Typically, this will
include 143. Default ports if none are specified are 143 .
* disabled *
Disables the IMAP preprocessor in a config. This is useful when specifying
the decoding depths such as b64_decode_depth, qp_decode_depth, uu_decode_depth,
bitenc_decode_depth or the memcap used for decoding in default config
without turning on the IMAP preprocessor.
* b64_decode_depth *
This config option is used to turn off/on or set the base64 decoding depth used to
decode the base64 encoded MIME attachments. The value ranges from -1 to 65535.
A value of -1 turns off the base64 decoding of MIME attachments. The value of 0
sets the decoding of base64 encoded MIME attachments to unlimited. A value other
than 0 or -1 restricts the decoding of base64 MIME attachments, and applies per
attachment. A IMAP preprocessor alert with sid 4 is generated (if enabled) when
the decoding fails.
Multiple MIME attachments/data in one packet are pipelined. When stateful inspection
is turned on the base64 encoded MIME attachments/data across multiple packets are
decoded too.
The decoded data is available for detection using the rule option file_data.
See file_data rule option for more details.
It is recommended that user inputs a value that is a multiple of 4. When the value
specified is not a multiple of 4, the IMAP preprocessor will round it up to the next
multiple of 4.
In case of multiple configs, the value specified in the non-default config cannot
exceed the value specified in the default config.
* qp_decode_depth *
This config option is used to turn off/on or set the Quoted-Printable decoding depth
used to decode the Quoted-Printable(QP) encoded MIME attachments. The value ranges
from -1 to 65535. A value of -1 turns off the QP decoding of MIME attachments.
The value of 0 sets the decoding of QP encoded MIME attachments to unlimited. A
value other than 0 or -1 restricts the decoding of QP MIME attachments, and applies per
attachment. A IMAP preprocessor alert with sid 5 is generated (if enabled) when the decoding fails.
Multiple MIME attachments/data in one packet are pipelined. When stateful inspection
is turned on the QP encoded MIME attachments/data across multiple packets are decoded too.
The decoded data is available for detection using the rule option file_data.
See file_data rule option for more details.
In case of multiple configs, the value specified in the non-default config cannot exceed
the value specified in the default config.
* bitenc_decode_depth *
This config option is used to turn off/on or set the non-encoded MIME extraction
depth used to extract the non-encoded MIME attachments. The value ranges from -1 to 65535.
A value of -1 turns off the extraction of these MIME attachments. The value of 0 sets
the extraction of these MIME attachments to unlimited. A value other than 0 or -1
restricts the extraction of these MIME attachment, and applies per attachments.
Multiple MIME attachments/data in one packet are pipelined. When stateful inspection
is turned on the non-encoded MIME attachments/data across multiple packets are
extracted too.
The extracted data is available for detection using the rule option file_data.
See file_data rule option for more details.
In case of multiple configs, the value specified in the non-default config cannot exceed
the value specified in the default config.
* uu_decode_depth *
This config option is used to turn off/on or set the Unix-to-Unix decoding depth
used to decode the Unix-to-Unix(UU) encoded attachments. The value ranges
from -1 to 65535. A value of -1 turns off the UU decoding of IMAP attachments.
The value of 0 sets the decoding of UU encoded IMAP attachments to unlimited. A
value other than 0 or -1 restricts the decoding of UU IMAP attachments, and applies per
attachment. A IMAP preprocessor alert with sid 7 is generated (if enabled) when the decoding fails.
Multiple UU Encoded attachments/data in one packet are pipelined. When stateful inspection
is turned on the UU encoded attachments/data across multiple packets are decoded too.
The decoded data is available for detection using the rule option file_data.
See file_data rule option for more details.
In case of multiple configs, the value specified in the non-default config cannot exceed
the value specified in the default config.
* memcap <int> *
This option determines (in bytes) the maximum amount of memory the IMAP preprocessor
will use for decoding base64 encoded/quoted-printable/non-encoded MIME attachments/data
or Unix-to-Unix encoded attachments. This value can be set from 3276 bytes to 100MB.
This option along with the maximum of the decoding depths will determine the IMAP
sessions that will be decoded at any given instant. The default value for this option
is 838860.
Note: It is suggested to set this value such that the max imap session calculated as
follows is at least 1.
max imap session = memcap /(2 * max of (b64_decode_depth, uu_decode_depth, qp_decode_depth
or bitenc_decode_depth))
For example, if b64_decode_depth is 0 (indicates unlimited decoding) and qp_decode_depth is 100, then
max imap session = memcap/2*65535 (max value for b64_decode_depth)
In case of multiple configs, the memcap of the non-default configs will be overwritten by the
default config's value. Hence user needs to define it in the default config with the new keyword
disabled (used to disable IMAP preprocessor in a config).
When the memcap for decoding (memcap) is exceeded the IMAP preprocessor alert with sid 3 is
generated (when enabled).
Example:
preprocessor imap: \
ports { 143 } \
memcap 1310700 \
qp_decode_depth -1 \
b64_decode_depth 0 \
bitenc_decode_depth 100
preprocessor imap: \
memcap 1310700 \
qp_decode_depth 0 \
disabled
Default:
preprocessor imap: \
ports { 143 } \
b64_decode_depth 1460 \
qp_decode_depth 1460 \
bitenc_decode_depth 1460 \
uu_decode_depth 1460
Events
================================================================================
The IMAP preprocessor uses GID 141 to register events.
SID Description
--------------------------------------------------------------------------------
1 Alert if IMAP encounters an invalid IMAP4 command.
2 Alert if IMAP encounters an invalid IMAP4 response.
3 If the decoding memory cap (memcap) is reached and the preprocessor is configured to alert,
this alert will be created.
4 If the decoding of a base64 MIME attachments fails or when the decoding stops due to exceeded
b64_decode_depth.
5 If the decoding of a Quoted-Printable MIME attachments fails or when the decoding stops due to exceeded
qp_decode_depth.
7 If the decoding of a Unix-to-Unix encoded attachments fails or when the decoding stops due to exceeded
uu_decode_depth.