[Bro] Email Link Extraction

Castle, Shane scastle at bouldercounty.org
Thu Apr 18 08:58:09 PDT 2013

At first glance this seems like all it needs is an appropriate regex. But then consider: any string containing both "." and "/" might be a candidate. (Actually, just a string containing "." with no space around it.)

So, this might range from the full regex to detect '<a href=".+">.+</a>' to just '\s.+\..+\s' (Perl regex used).

I'd welcome attempts to work on this. And, even if the result does not catch everything, if it gets anything at all it'd be better than what we have now.

Shane Castle
Data Security Mgr, Boulder County IT

-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of James Lay
Sent: Thursday, April 18, 2013 09:31
To: bro at bro.org
Subject: Re: [Bro] Email Link Extraction

On 2013-04-18 09:15, . . wrote:
> Hi list,
> Is there an easy way to extract links from emails in a method similar
> to smtp_entities processing of attachments?
> Thanks in advance!
> Jason

Yea I'll second that...email packet captures make finding links a 
challenge as quoted emails split the links..this would really help to 
correlate a user click to actual email in a fraction of the time.  Thank 

Bro mailing list
bro at bro-ids.org

More information about the Bro mailing list