[Bro] How to extract data to a eml file from smtp traffic

Robert_Yang at trendmicro.com.cn Robert_Yang at trendmicro.com.cn
Wed Jul 23 23:45:54 PDT 2014

Hi everyone,

I want to extract the whole data to a eml file from smtp traffic. And the system event - file_new() only save every mime entity of an email as a file instead of the whole email. This is not I want.

I try to add an event in ./share/bro/base/protocols/smtp/file.bro.

event smtp_data(c: connection, is_orig:bool, data:string)
        print fmt("DATA %d", |data|);

I print size of every data. The amount of every data size is always less than actually size the eml file ( 23137 Byte < 23831 Byte). So what I miss? And how to save data to file in smtp_data event?

Please help me about the above question if you are free. Thank you a lot!

Robert Yang

The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140724/5032b16b/attachment.html 

More information about the Bro mailing list