[Bro] SMTP File Hash not consistent
de Bruyn, David
David.deBruyn at jbssa.com
Thu Dec 3 10:45:06 PST 2015
First off... I'm kinda new to Bro so please be gentle....
I've noticed some issues (strangeness?) with the file logging on Bro, in particular I would like for Bro to log an MD5 for all incomming files sent in through SMTP. At the moment it only seems to do it for some files and I can't seem to find a reason why some are getting hashed but others aren't...
An extract from my files.log filtered by SMTP and pdf:
1449167625.904080 FS81ev 1449167623.516100 Fajnj71Xx6UprSmLef 18.104.22.168 22.214.171.124 C6pKQN2extOHQYZ4Fc SMTP 3 SHA1,MD5 application/pdf LoadTender3059527.pdf 0.015949 F T 57 - 1368 0 F - - - - -
1449167625.848077 FhU87R1PwGYciZcT2i 126.96.36.199 188.8.131.52 CkD4rQ1uG5VZhJL2v9 SMTP 1 SHA1,MD5 application/pdf 12.03.2015.pdf 0.016022 F T 456 - 1368 0 F - - - - -3MhA2vXGk5J8 184.108.40.206 220.127.116.11 CHB8Ew4kdUB3hDbkKl SMTP 3 SHA1,MD5 application/pdf Payment Advice Note from 12/03/2015.PDF 0.071983 F T 14535 - 0 0 F - ef853cc031d2abfbf6e0ec964163cd98 08eae5d275554f12d4783cb9c8be210d691f8db5 - -
1449167630.224049 FGUsvz3nDYqZlH56Y1 18.104.22.168 22.214.171.124 CK8Nwn4vGwpylAmpGj SMTP 3 SHA1,MD5 application/pdf PPC_LoadTender3057660.pdf 0.032006 F T 969 - 1544 0 F - - - - -
1449167631.024050 FiMmk5Zsczli9OGi7 126.96.36.199 188.8.131.52 CX4SUd3VDBBdYoXt0g SMTP 3 SHA1,MD5 application/pdf Payment Advice Note from 12/03/2015.PDF 0.011997 F T 171 - 1368 0 F - - - - -
So basically about it won't create a file hash for a heap of file, then out of the blue it will create one, then no more for a while....
They all have the same mime type so I just can't seem to figure this out... any help or advice would be really appreciated...
The information in this email is intended only for the person or entity to which
it is addressed and may contain confidential and/or privileged material. Any
review, re-transmission, dissemination or other use of, or taking of any action
in reliance upon this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact the
sender and delete the material from any computer.
This email has been checked for viruses. However, JBS USA Holdings, Inc. and its
constituent companies cannot accept responsibility for loss or damages arising
from use of this email or attachments and we recommend that you subject these to
your virus checking procedures prior to use.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro