From c69ed1adf7a65f5f8c66fe119412095f2131291c Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 16 Jul 2025 11:33:44 +0200 Subject: [PATCH] NEWS: Add entry about SMTP::enable_rfc822_msg_file_analysis --- NEWS | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/NEWS b/NEWS index 033efbc270..1905b117f6 100644 --- a/NEWS +++ b/NEWS @@ -153,6 +153,21 @@ New Functionality incoming and outgoing event metrics of a specific WebSocket application, simply by setting the X-Application-Name header. +- The SMTP analyzer can now optionally forward the top-level RFC 822 message individual + SMTP transactions to the file analysis framework. This can be leveraged to extract + emails in form of ``.eml`` files from SMTP traffic to disk. + + To enable this feature, set the ``SMTP::enable_rfc822_msg_file_analysis`` option + and implement an appropriate ``file_new()`` or ``file_over_new_connection()`` handler: + + redef SMTP::enable_rfc822_msg_file_analysis = T; + + event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) { + if ( f$id == c$smtp$rfc822_msg_fuid ) + Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename="email"]); + } + + - Generic event metadata support. A new ``EventMetadata`` module was added allowing to register generic event metadata types and accessing the current event's metadata using the functions ``current()`` and ``current_all()`` of this module.