[Bro] Quick smtp-url-extraction question
seth at icir.org
Thu Aug 7 10:26:28 PDT 2014
On Aug 7, 2014, at 12:26 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> sudo bro -C -r ../captures/email.pcapng
Ah! Perhaps a poorly named script. That's only extracting the URLs and feeding them into the intel framework.
Would you like a script that extracts and logs them? I ran one of those in production before, it was useful to be able to see what links were flying around for sure.
I'm thinking for fields we could have...
That should provide enough information to link back to the connection it happened over and which "file" (or body content since they're effectively the same in smtp) it was seen within.
International Computer Science Institute
(Bro) because everyone has a network
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140807/b5239d3c/attachment.bin
More information about the Bro