User Tools

Site Tools


pom-ng:analyzer:smtp

Analyzer smtp

This analyzer listens for smtp_cmd and smtp_reply events as well as smtp packets and generates smtp_msg and smtp_auth events.

It also generates rfc822 messages.

Events

Name Payload associated Description
smtp_msgyesProvide all the information from a message sent over SMTP.
smtp_authnoParse SMTP authentication attempts.

smtp_msg

Field Type Description
client_addripv4 or ipv6IPv4 or IPv6 address of the client.
server_addripv4 or ipv6IPv4 or IPv6 address of the server.
server_portuint16Port on the server side.
server_hoststringHostname of the server from a DNS lookup.
client_hellostringArgument passed to the HELO or EHLO command.
server_hellostringText following the 220 reply from the server upon connection.
fromstringSender of the email according the “MAIL FROM” command.
tostring listRecipients according the “RCPT TO” command.
resultuint16Result code following the end of the DATA command.

smtp_auth

This event contains data gathered while the client tried to authenticate. Currently, only LOGIN and PLAIN authentications are supported.

Field Type Description
client_addripv4 or ipv6IPv4 or IPv6 address of the client.
server_addripv4 or ipv6IPv4 or IPv6 address of the server.
server_portuint16Port on the server side.
server_hoststringHostname of the server from a DNS lookup.
client_hellostringArgument passed to the HELO or EHLO command.
server_hellostringText following the 220 reply from the server upon connection.
typestringType of authentication.
paramsstring listAuthentication parameters. It will contain the parameter “username” and “password” for PLAIN and LOGIN authentication or will contain “challenge” and “response” for CRAM-MD5.
successboolTrue if the authentication attempt succeeded.
pom-ng/analyzer/smtp.txt · Last modified: 2015/07/27 11:37 by gmsoft