[Bro] Error when extracting URLs from email traffic

Josh Liburdi liburdi.joshua at gmail.com
Tue Jul 8 09:52:41 PDT 2014


I think your error might be a simple one ... fmt() should use this
syntx: print fmt("%s",url);

-Josh

On Tue, Jul 8, 2014 at 12:43 PM, Derek Banks <itsecderek at gmail.com> wrote:
> Hello Bro list,
> I am attempting to write a script to extract URLs from SMTP.  The script
> below is my starting point and it seems to work pretty well except that I am
> getting an  error occasionally on some of the connections.  The end goal
> (and I am a ways away atm) is to eventually get the URLs fed into the intel
> framework to attempt to alert on potential spearphishing.
>
> Script:
> @load base/frameworks/intel
> @load base/utils/urls
> @load ./where-locations.bro
>
> event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
>         {
>         const mail_servers = { 192.168.50.72, 192.168.50.75 };
>
>         if ( c$id$orig_h !in mail_servers )
>                 return;
>         if ( ! f?$conns )
>                 return;
>         if ( f$source != "SMTP" )
>                 return;
>
>         if ( ! f?$bof_buffer )
>                 return;
>
>         for ( cid in f$conns )
>                 {
>                 local urls = find_all_urls_without_scheme(f$bof_buffer);
>                 for ( url in urls )
>                         {
>
>                             print fmt(url);
>
>                          }
>                 }
>         }
>
> The error is:
> 1404827445.346519 error in ./extract_urls_in_email_v1.bro, line 38: too few
> arguments for format (fmt(url) and <redacted URL>
>
>
> Does anyone know what might be causing this error?
>
> Best Regards,
> Derek
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list