[Bro] Error when extracting URLs from email traffic

Derek Banks itsecderek at gmail.com
Tue Jul 8 09:43:32 PDT 2014


Hello Bro list,
I am attempting to write a script to extract URLs from SMTP.  The script
below is my starting point and it seems to work pretty well except that I
am getting an  error occasionally on some of the connections.  The end goal
(and I am a ways away atm) is to eventually get the URLs fed into the intel
framework to attempt to alert on potential spearphishing.

Script:
@load base/frameworks/intel
@load base/utils/urls
@load ./where-locations.bro

event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
        {
        const mail_servers = { 192.168.50.72, 192.168.50.75 };

        if ( c$id$orig_h !in mail_servers )
                return;
        if ( ! f?$conns )
                return;
        if ( f$source != "SMTP" )
                return;

        if ( ! f?$bof_buffer )
                return;

        for ( cid in f$conns )
                {
                local urls = find_all_urls_without_scheme(f$bof_buffer);
                for ( url in urls )
                        {

                            print fmt(url);

                         }
                }
        }

The error is:
1404827445.346519 error in ./extract_urls_in_email_v1.bro, line 38: too few
arguments for format (fmt(url) and <redacted URL>


Does anyone know what might be causing this error?

Best Regards,
Derek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140708/0370ca56/attachment.html 


More information about the Bro mailing list