Need Guidance on Enabling IMAP Attachment Extraction in Zeek

Zeek
1

Hello everyone,

I am currently working on a solution that will use Zeek where we need to analyze email traffic at the protocol level and extract attachments.

For other protocols like SMTP ,POP3 etc attachment extraction works through Zeek’s file analysis framework in version 8.0.1 . However, for IMAP traffic, we need to implement or extend IMAP support so that attachments retrieved via FETCH responses can also be extracted properly.

What We Are Trying to Achieve

  • Detect IMAP FETCH responses containing message body data

  • Handle RFC-compliant IMAP literals ({} syntax from RFC 3501)

  • Pass the literal data (email body / MIME content) into Zeek’s file extraction framework

  • Ensure attachment extraction works like it works for SMTP ,POP3

Current Situation

We are building Zeek from source and exploring modifications in:

  • IMAP analyzer (C++ layer)

  • BinPAC grammar files (imap.pac, imap-protocol.pac, etc.)

  • However, real-world IMAP traffic introduces challenges such as:

  • Untagged * FETCH responses

  • Literal blocks spanning multiple TCP segments

  • STARTTLS encrypted sessions

  • Grammar desynchronization issues when handling literals

Before going too deep into custom implementation, I wanted to ask:

Questions

  1. Has anyone already implemented IMAP attachment extraction in Zeek?

  2. Is there an existing plugin or recommended approach for full IMAP file extraction?

Architecturally, is it better to:

Extend the current IMAP analyzer?

  1. Or build a separate custom analyzer/plugin for this purpose?

  2. Are there examples in other protocol analyzers that are recommended patterns to follow?

Any guidance, design recommendations, or references would be greatly appreciated.

Thank you in advance!

2

Hi,

thanks a lot for the post, and the explanation of what you are trying to accomplish.

Ad you probably already noticed, the current imap analyzer in Zeek is pretty barebones. It, in essence, only supports the parts of the protocol that were needed for a research paper a long time ago - specifically parsing the capabilities, and determining if TLS is enabled.

For your purposes - as the analyzer that exists does not implement any significant functionality, I am tempted to propose that you just ignore it and start the entire thing fresh. This also means that you can skip using binpac - and write your analyzer in spicy instead. Spicy is much more feature complete, much better documented, and easier to use.

I am not aware of anyone else that has implemented an, or worked on an imap analyzer.

I would probably propose looking at the Spicy documentation as a first step :slight_smile:

Johanna