########################################################################################## PAS-20: Mail Handling ########################################################################################## Issue Type: New Feature ----------------------------------------------------------------------------------------- Issue Information ==================== Priority: Major Status: Open Resolution: Unresolved Project: PCAP Analysis Script (PAS) Reported By: btasker Assigned To: btasker Components: - Mail - Data Correlation and Extraction Affected Versions: - 0.1 Targeted for fix in version: - 0.1 Labels: Mail, SMTP, Time Estimate: 90 minutes Time Logged: 0 minutes ----------------------------------------------------------------------------------------- Issue Description ================== TLS connections to mail servers are already captured, but plaintext aren't. I haven't decided yet on exactly what information should be extracted, but a starting point would be to start building something similar to webtraffic.csv so there's a record of which mailservers were connected to (and EHLO names etc) PAS-15 is interested in extracting SMTP Plain authentication strings, so it'd be helpful if the tempfile also included those somehow, as it'd save doing a seperate tshark run. ----------------------------------------------------------------------------------------- Issue Relations ================ - blocks PAS-15: SMTP Credential Handling - blocks PAS-21: Correlate Encrypted Traffic against DNS to obtain hostname ----------------------------------------------------------------------------------------- Activity ========== ----------------------------------------------------------------------------------------- 2015-11-27 12:42:24 ----------------------------------------------------------------------------------------- btasker added 'Mail SMTP' to labels ----------------------------------------------------------------------------------------- 2015-11-27 13:56:51 btasker ----------------------------------------------------------------------------------------- I've implemented a fairly basic transaction list of all SMTP commands seen. The new CSV - mailtransactions.csv - is currently pretty SMTP specific, so may need some tweaking once POP3 and IMAP are added. ----------------------------------------------------------------------------------------- 2015-11-27 14:07:48 git ----------------------------------------------------------------------------------------- -- BEGIN QUOTE -- Repo: PCAPAnalyseandReport Commit: 76d046483851fd6ca2d2e0c1b195b27cecdfadb5 Author: Ben Tasker