Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

NEWS: Add entry about SMTP::enable_rfc822_msg_file_analysis

Browse source
This commit is contained in:
Arne Welzel 2025-07-16 11:33:44 +02:00
parent 1b3b3892b5
commit c69ed1adf7
1 changed files with 15 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

15
NEWS
View file

@ -153,6 +153,21 @@ New Functionality
incoming and outgoing event metrics of a specific WebSocket application, simply incoming and outgoing event metrics of a specific WebSocket application, simply
by setting the X-Application-Name header. by setting the X-Application-Name header.
- The SMTP analyzer can now optionally forward the top-level RFC 822 message individual
SMTP transactions to the file analysis framework. This can be leveraged to extract
emails in form of ``.eml`` files from SMTP traffic to disk.
To enable this feature, set the ``SMTP::enable_rfc822_msg_file_analysis`` option
and implement an appropriate ``file_new()`` or ``file_over_new_connection()`` handler:
redef SMTP::enable_rfc822_msg_file_analysis = T;
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) {
if ( f$id == c$smtp$rfc822_msg_fuid )
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename="email"]);
}
- Generic event metadata support. A new ``EventMetadata`` module was added allowing - Generic event metadata support. A new ``EventMetadata`` module was added allowing
to register generic event metadata types and accessing the current event's metadata to register generic event metadata types and accessing the current event's metadata
using the functions ``current()`` and ``current_all()`` of this module. using the functions ``current()`` and ``current_all()`` of this module.