Skip to content

IMAP protocol parser, logger and sticky buffers v6#15400

Closed
glongo wants to merge 4 commits into
OISF:mainfrom
glongo:dev-imap-proto-v6
Closed

IMAP protocol parser, logger and sticky buffers v6#15400
glongo wants to merge 4 commits into
OISF:mainfrom
glongo:dev-imap-proto-v6

Conversation

@glongo

@glongo glongo commented May 16, 2026

Copy link
Copy Markdown
Contributor

Changes:

  • email object inside imap event is no longer logged. Existing email code will be refactored after this PR is merged in order to introduce a dedicated email event.
  • Updated SID range
  • Bounded missing request/response.

Link to ticket: https://redmine.openinfosecfoundation.org/issues/8276

Previous PR: #15209

SV_BRANCH=OISF/suricata-verify#2908

glongo added 4 commits May 16, 2026 10:40
This introduces a parser for IMAP protocol.

Ticket OISF#8276
This introduces a logger for IMAP protocol.

Ticket OISF#8276
This implements the following sticky buffers for IMAP protocol:
- imap.request
- imap.response

The following frames have been added:
- imap.body
- imap.headers
- imap.pdu

The following email sticky buffers have been updated to work with IMAP:
- email.from
- email.subject
- email.to
- email.cc
- email.date
- email.message_id
- email.x_mailer

The following email sticky buffers have been added and are supported
only for IMAP:
- email.command
- email.body
- email.header
- email.header.name
- email.header.value

Ticket OISF#8276
@codecov

codecov Bot commented May 16, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 81.85373% with 464 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.61%. Comparing base (bb4e79c) to head (e6cca48).
⚠️ Report is 86 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main   #15400      +/-   ##
==========================================
- Coverage   82.65%   82.61%   -0.04%     
==========================================
  Files         996      999       +3     
  Lines      271109   273624    +2515     
==========================================
+ Hits       224076   226057    +1981     
- Misses      47033    47567     +534     
Flag Coverage Δ
fuzzcorpus 60.50% <15.04%> (-0.52%) ⬇️
livemode 18.28% <11.91%> (-0.09%) ⬇️
netns 22.45% <11.91%> (-0.17%) ⬇️
pcap 45.37% <63.00%> (+0.16%) ⬆️
suricata-verify 66.46% <74.97%> (+0.05%) ⬆️
unittests 58.51% <53.46%> (-0.05%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa

Copy link
Copy Markdown

Information: QA ran without warnings.

Pipeline = 31514

@catenacyber catenacyber added the needs rebase Needs rebase to main label May 21, 2026
@catenacyber

Copy link
Copy Markdown
Contributor

Needs a rebase now

@catenacyber catenacyber left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the work, needs a rebase

CI/QA : ✅
Git ID set : looks fine for me
CLA : you already contributed
Doc update : nice :-)
Redmine ticket : ok, should https://redmine.openinfosecfoundation.org/issues/3244 be closed as duplicate ?
Rustfmt : 🟡 please add the check in CI see .github/workflows/builds.yml: - run: rustfmt --check rust/src/dns/*.rs
Tests : some unanswered questions on SV PR like OISF/suricata-verify#2908 (comment)
Dependencies added: none
Code : looking
Commits segmentation : I would squash parser and logger but ok
Commit messages : cool

@victorjulien

Copy link
Copy Markdown
Member

In the new PR, please add a explanation of the transaction state machine(s) and life cycle, including how transactions and other data structures are bounded.

Comment thread rust/src/imap/imap.rs
Comment thread rust/src/imap/imap.rs
Comment thread rust/src/imap/imap.rs
Comment thread rust/src/imap/imap.rs
Comment thread rust/src/imap/imap.rs
Comment thread rust/src/imap/logger.rs
Comment thread rust/src/imap/logger.rs
Comment thread rust/src/imap/detect.rs
Comment thread rust/src/imap/detect.rs
Comment thread doc/userguide/rules/email-keywords.rst
Comment thread doc/userguide/rules/email-keywords.rst
@catenacyber

Copy link
Copy Markdown
Contributor

Replaced by #15617

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs rebase Needs rebase to main

Development

Successfully merging this pull request may close these issues.

4 participants