[Bro] Error when extracting URLs from email traffic

Derek Banks itsecderek at gmail.com
Tue Jul 8 09:43:32 PDT 2014

Hello Bro list,
I am attempting to write a script to extract URLs from SMTP.  The script
below is my starting point and it seems to work pretty well except that I
am getting an  error occasionally on some of the connections.  The end goal
(and I am a ways away atm) is to eventually get the URLs fed into the intel
framework to attempt to alert on potential spearphishing.

@load base/frameworks/intel
@load base/utils/urls
@load ./where-locations.bro

event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
        const mail_servers = {, };

        if ( c$id$orig_h !in mail_servers )
        if ( ! f?$conns )
        if ( f$source != "SMTP" )

        if ( ! f?$bof_buffer )

        for ( cid in f$conns )
                local urls = find_all_urls_without_scheme(f$bof_buffer);
                for ( url in urls )

                            print fmt(url);


The error is:
1404827445.346519 error in ./extract_urls_in_email_v1.bro, line 38: too few
arguments for format (fmt(url) and <redacted URL>

Does anyone know what might be causing this error?

Best Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140708/0370ca56/attachment.html 

More information about the Bro mailing list