This is an old revision of the document!

Analyzer smtp

This analyzer listens for smtp_cmd and smtp_reply events as well as smtp packets and generates smtp_msg and smtp_auth events.

It also generates rfc822 messages.

Events

Name	Payload associated	Description
smtp_msg	yes	Provide all the information from a message sent over SMTP.
smtp_auth	no	Parse SMTP authentication attempts.

Field	Type	Description
client_addr	ipv4 or ipv6	IPv4 or IPv6 address of the client.
server_addr	ipv4 or ipv6	IPv4 or IPv6 address of the server.
server_port	uint16	Port on the server side.
server_host	string	Hostname of the server from a DNS lookup.
client_hello	string	Argument passed to the HELO or EHLO command.
server_hello	string	Text following the 220 reply from the server upon connection.
from	string	Sender of the email according the “MAIL FROM” command.
to	string list	Recipients according the “RCPT TO” command.
result	uint16	Result code following the end of the DATA command.

This event contains data gathered while the client tried to authenticate. Currently, only LOGIN and PLAIN authentications are supported.

Field	Type	Description
client_addr	ipv4 or ipv6	IPv4 or IPv6 address of the client.
server_addr	ipv4 or ipv6	IPv4 or IPv6 address of the server.
server_port	uint16	Port on the server side.
server_host	string	Hostname of the server from a DNS lookup.
client_hello	string	Argument passed to the HELO or EHLO command.
server_hello	string	Text following the 220 reply from the server upon connection.
type	string	Type of authentication.
params	string list	Authentication parameters. It will contain the parameter “username” and “password” for PLAIN and LOGIN authentication or will contain “challenge” and “response” for CRAM-MD5.
success	bool	True if the authentication attempt succeeded.