[Bro] SMTP File Hash not consistent

de Bruyn, David David.deBruyn at jbssa.com
Thu Dec 3 10:45:06 PST 2015

Hi All!

First off... I'm kinda new to Bro so please be gentle....

I've noticed some issues (strangeness?) with the file logging on Bro,  in particular I would like for Bro to log an MD5 for all incomming files sent in through SMTP.  At the moment it only seems to do it for some files and I can't seem to find a reason why some are getting hashed but others aren't...

An extract from my files.log filtered by SMTP and pdf:

1449167625.904080       FS81ev 1449167623.516100       Fajnj71Xx6UprSmLef   C6pKQN2extOHQYZ4Fc      SMTP    3       SHA1,MD5        application/pdf LoadTender3059527.pdf     0.015949        F       T       57      -       1368    0       F       -       -       -       -       -
1449167625.848077       FhU87R1PwGYciZcT2i   CkD4rQ1uG5VZhJL2v9      SMTP    1       SHA1,MD5        application/pdf 12.03.2015.pdf        0.016022        F       T       456     -       1368    0       F       -       -       -       -    -3MhA2vXGk5J8   CHB8Ew4kdUB3hDbkKl      SMTP    3       SHA1,MD5        application/pdf Payment Advice Note from 12/03/2015.PDF       0.071983        F       T       14535   -       0       0       F       -       ef853cc031d2abfbf6e0ec964163cd98     08eae5d275554f12d4783cb9c8be210d691f8db5 -       -
1449167630.224049       FGUsvz3nDYqZlH56Y1   CK8Nwn4vGwpylAmpGj      SMTP    3       SHA1,MD5        application/pdf PPC_LoadTender3057660.pdf     0.032006        F       T       969     -       1544    0       F       -       -       -       -       -
1449167631.024050       FiMmk5Zsczli9OGi7   CX4SUd3VDBBdYoXt0g      SMTP    3       SHA1,MD5        application/pdf Payment Advice Note from 12/03/2015.PDF       0.011997        F       T       171     -       1368    0       F       -       -       -       -       -

So basically about it won't create a file hash for a heap of file, then out of the blue it will create one, then no more for a while....

They all have the same mime type so I just can't seem to figure this out... any help or advice would be really appreciated...



The information in this email is intended only for the person or entity to which
it is addressed and may contain confidential and/or privileged material.   Any
review, re-transmission, dissemination or other use of, or taking of any action
in reliance upon this information by persons or entities other than the intended
recipient is prohibited.  If you received this in error, please contact the
sender and delete the material from any computer.
This email has been checked for viruses. However, JBS USA Holdings, Inc. and its
constituent companies cannot accept responsibility for loss or damages arising
from use of this email or attachments and we recommend that you subject these to
your virus checking procedures prior to use.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151203/cdc446f3/attachment.html 

More information about the Bro mailing list