[Bro] Links in SMTP round 2

James Lay jlay at slave-tothe-box.net
Fri Nov 8 07:57:38 PST 2013


On Nov 8, 2013, at 8:07 AM, Justin Azoff <JAzoff at albany.edu> wrote:

> On Fri, Nov 08, 2013 at 07:25:07AM -0700, James Lay wrote:
>> error in /usr/local/bro/share/bro/base/protocols/smtp/./main.bro, line 10: extension field must be &optional or have &default (SMTP::Info)
> 
> Yep.. you need to mark it as &optional like it says.
> 
>> error in ./testfiles/test.bro, line 12: syntax error, at end of file
> 
> You just need to handle that event and extract the links.
> 
>> I’m hoping the first error is because I haven’t defined the new field of smtp_http yet.  As for the second, I’m not sure how to create that field.  I’ve been looking heavily at http://www.bro.org/sphinx-git/frameworks/logging.html, but so far this is all I have.  ANY help…tutorials…pointers…something would really save me some time.  Thank you.
> 
> Here is a script that adds a field to the conn log, it does all the
> things you need to do:
> 
> https://github.com/JustinAzoff/bro_scripts/blob/master/conn-hostnames.bro
> 
> -- 
> -- Justin Azoff
> -- Network Security & Performance Analyst

Thanks a BUNCH Justin…this helps.  As I’m looking at this, I think what I’m hoping for, is something like:

"if the smtp message stream contains http, then log the link to smtp_http.log, otherwise don’t log anything about the stream to smtp_http.log"

Something I’m stumbling on is…how do I specify the smtp stream, and how do I find out if it contains http ( looking at the bro cheat sheet I don’t see “=~” ).  Again, thanks so much Justin…I think I’m getting closer.

James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131108/afe683f8/attachment.bin 


More information about the Bro mailing list