smtp preprocessor buffers and content modifiers

[Eoin Miller <eoin.miller () trojanedbinaries com>]

Reading through the Snort user guides and was wondering about the 
smtp_preprocessors various buffers and why they cannot be used as a 
content modifier much like http_* options? This could be helpful with 
writing signatures. It looks like the smtp_preprocessor currently 
creates/inspects certain things and checks them for length or the 
content of them. If people could use things like:

smtp_command_line
smtp_header_line
smtp_response_line
smtp_cmds

Not sure if smtp_response_line contains the "response code" and the 
"response code parameter" as they are known when you parse SMTP traffic 
with say wireshark. I would be cool to be able to have these though:

smtp_response_code
smtp_response_parameter

I was wondering if these or something like them even already existed? 
There appears to be some crossover between the http and smtp inspect 
preprocessors with use of the file_data content modifier. It would seem 
weird to not have the smtp buffers available for checking with rules 
when the http ones are?

-- Eoin


------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users