[Bro] Quick smtp-url-extraction question
jlay at slave-tothe-box.net
Thu Aug 7 10:30:49 PDT 2014
On 2014-08-07 11:26, Seth Hall wrote:
> On Aug 7, 2014, at 12:26 PM, James Lay <jlay at slave-tothe-box.net>
>> sudo bro -C -r ../captures/email.pcapng
> Ah! Perhaps a poorly named script. That's only extracting the URLs
> and feeding them into the intel framework.
> Would you like a script that extracts and logs them? I ran one of
> those in production before, it was useful to be able to see what
> were flying around for sure.
> I'm thinking for fields we could have...
> That should provide enough information to link back to the connection
> it happened over and which "file" (or body content since they're
> effectively the same in smtp) it was seen within.
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
I would absolutely love a script that would log urls....we all know
that quoted-printable and bas364 shenanigans may get missed, but every
little bit helps..thanks a bunch Seth.
More information about the Bro