hello other RSA customers and RSA people,
don't really know much about writing custom packet decoder parsers or want to engage PS but wondering what other people have done for extracting custom mail headers.
Ideally we'd want to run it alongside the RSA mail or rather SMTP parser not cloning customer_custom_smtp_lua
Basically we want to parse 2 things:
a) texty headers from https://www.ietf.org/rfc/rfc2822.txt - e.g. message-id/ References:/ In-Reply-To:
(these don't seem environment specific, perhaps they can become part of the standard parser ? )
b) value headers passed by mail gateway to our mail server
e.g.
i) simple flag headers : X-ExecAttachment: True
ii) texty type headers: X-MailSandbox-StatusOrVerdict: e.g. unknown,pending, malicious, etc.
Wondering what other people have done for similar problems parser and meta key wise.
A couple of things to check out:
mail_lua
mail_lua options file (you can get to the options file on the decoder once you deploy - DO NOT SUBSCRIBE TO THIS FILE - from the Decoder > config > files )
there are a number of functions you can change
function registerEmailSrcDst()
function parseQuoted()
function registerAddressHosts()
function parseReceived()
check for ones that end with return true (for enabled)
you can also check out the x-factor parser that might be able to get you what you want
https://community.rsa.com/community/products/netwitness/blog/2014/03/05/detecting-sinkholed-domains-with-the-x-factor-parser
or this one for the spf headers
https://community.rsa.com/community/products/netwitness/blog/2016/04/27/writing-a-parser-to-detect-spf-fields-in-email-messages