IMAP protocol parser, logger and sticky buffers v5#15209
Closed
glongo wants to merge 4 commits into
Closed
Conversation
This introduces a parser for IMAP protocol. Ticket OISF#8276
This introduces a logger for IMAP protocol. Ticket OISF#8276
This implements the following sticky buffers for IMAP protocol: - imap.request - imap.response The following frames have been added: - imap.body - imap.headers - imap.pdu The following email sticky buffers have been updated to work with IMAP: - email.from - email.subject - email.to - email.cc - email.date - email.message_id - email.x_mailer The following email sticky buffers have been added and are supported only for IMAP: - email.command - email.body - email.header - email.header.name - email.header.value Ticket OISF#8276
glongo
requested review from
a team,
jasonish,
jufajardini and
victorjulien
as code owners
This was referenced Apr 15, 2026
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #15209 +/- ##
==========================================
- Coverage 82.69% 82.67% -0.02%
==========================================
Files 993 996 +3
Lines 271697 274203 +2506
==========================================
+ Hits 224667 226686 +2019
- Misses 47030 47517 +487
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
|
Information: QA ran without warnings. Pipeline = 30954 |
Contributor
|
There are missing tickets that should relate to https://redmine.openinfosecfoundation.org/issues/8276
|
Contributor
|
There are unanswered questions in the previous PR like #15064 (comment) |
catenacyber
reviewed
Apr 24, 2026
|
|
||
| if let Some(email_data) = message_email { | ||
| let command_bytes = extract_command_from_requests(&tx.requests); | ||
| let command = String::from_utf8_lossy(&command_bytes).into_owned(); |
Contributor
There was a problem hiding this comment.
As proposed in #15064 (comment), I checked :
diff --git a/rust/src/imap/logger.rs b/rust/src/imap/logger.rs
index 1f7d91bf5c..54eeae7b2f 100644
--- a/rust/src/imap/logger.rs
+++ b/rust/src/imap/logger.rs
@@ -126,7 +126,7 @@ fn log_imap(tx: &ImapTransaction, js: &mut JsonBuilder) -> Result<(), JsonError>
if let Some(email_data) = message_email {
let command_bytes = extract_command_from_requests(&tx.requests);
- let command = String::from_utf8_lossy(&command_bytes).into_owned();
+ let command = String::from_utf8_lossy(&command_bytes);
js.open_object("email")?;
js.set_string("command", &command)?;compiles for me
Contributor
|
Main concern in previous remarks was bounding the stateful structures ;-) |
catenacyber
reviewed
Apr 29, 2026
| tx.parsed_email = Some(parsed_email); | ||
| } | ||
| } | ||
| tx.responses.push(response); |
catenacyber
requested changes
May 7, 2026
Contributor
catenacyber
left a comment
catenacyber
left a comment
There was a problem hiding this comment.
needs a rebase now for the rules range
Contributor
Author
|
Replaced with #15400 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes:
direction,bodyandoptionalfields from schema.jsonIncompleteDataeventtx.requestsandtx.responsesare boundedGetImapEmailBodyDataand useSCDetectImapEmailGetBodydirectlySCAppLayerRequestProtocolTLSUpgradewhen TLS is requested andImapResponseStatus::Okis seenLink to ticket: https://redmine.openinfosecfoundation.org/issues/8276
Previous PR: #15064
SV_BRANCH=OISF/suricata-verify#2908