[Bro] Extracting Email Attachments
dn1nj4 at gmail.com
Fri Mar 22 12:34:07 PDT 2013
Based on Aashish's recommendations, I added the following 4 lines to the
end of my local.bro:
redef SMTP::extract_file_types += /application\/*/;
redef SMTP::extraction_prefix = "/tmp/extracted_";
redef SMTP::extract_file = T;
redef SMTP::calc_md5 = T;
While there are attachments listed in the smtp_entities.log, they have no
MD5 hashes and have not been extracted to /tmp. What am I missing?
On Fri, Mar 22, 2013 at 10:32 AM, Aashish SHARMA <init.conf at gmail.com>wrote:
> ## define the mime types you want extracted /.*/ means everything
> redef SMTP::extract_file_types += /application\/*/;
> ## path where extracted attachments need to go:
> redef SMTP::extraction_prefix = "/data/bro/extract/smtp-entity" ;
> On Mar 22, 2013, at 3:49 AM, Digital Ninja <dn1nj4 at gmail.com> wrote:
> > Hello all,
> > New bro user here. I'm trying to understand how to enable email
> attachment extraction with bro. I see in smtp-entities the setting
> "extract-file" which by default is False. What is the right way to enable
> it and set the directory where these attachments will reside?
> > Thanks in advance!
> > Jason
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro