Hello everyone,
I am currently working on a solution that will use Zeek where we need to analyze email traffic at the protocol level and extract attachments.
For other protocols like SMTP ,POP3 etc attachment extraction works through Zeek’s file analysis framework in version 8.0.1 . However, for IMAP traffic, we need to implement or extend IMAP support so that attachments retrieved via FETCH responses can also be extracted properly.
What We Are Trying to Achieve
-
Detect IMAP FETCH responses containing message body data
-
Handle RFC-compliant IMAP literals ({} syntax from RFC 3501)
-
Pass the literal data (email body / MIME content) into Zeek’s file extraction framework
-
Ensure attachment extraction works like it works for SMTP ,POP3
Current Situation
We are building Zeek from source and exploring modifications in:
-
IMAP analyzer (C++ layer)
-
BinPAC grammar files (imap.pac, imap-protocol.pac, etc.)
-
However, real-world IMAP traffic introduces challenges such as:
-
Untagged * FETCH responses
-
Literal blocks spanning multiple TCP segments
-
STARTTLS encrypted sessions
-
Grammar desynchronization issues when handling literals
Before going too deep into custom implementation, I wanted to ask:
Questions
-
Has anyone already implemented IMAP attachment extraction in Zeek?
-
Is there an existing plugin or recommended approach for full IMAP file extraction?
Architecturally, is it better to:
Extend the current IMAP analyzer?
-
Or build a separate custom analyzer/plugin for this purpose?
-
Are there examples in other protocol analyzers that are recommended patterns to follow?
Any guidance, design recommendations, or references would be greatly appreciated.
Thank you in advance!