[Bro] SMTP attachments and files from other ports/protocols
donaldson8 at llnl.gov
Thu Jul 9 13:00:57 PDT 2015
If you take a look at the HTTP monitoring example here (https://www.bro.org/sphinx/httpmonitor/index.html) and modify the final example ("Inspecting Files") to use "SMTP" instead of "HTTP", you should be pretty close to getting this to work.
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Sanner, Daniel A
Sent: Thursday, July 09, 2015 2:42 PM
To: bro at bro.org
Subject: [Bro] SMTP attachments and files from other ports/protocols
Is there a script that exists or that can be modified to be able to capture/download attachments that are detected?
Specifically, looking for SMTP attachments in e-mails. However, files in the Files.log could be helpful too.
Right now, the best I can figure is that the SMTP log is just a copy of e-mail headers and nothing more.
The files.log only has MD5 and/or SHA1 hashes, but no details about file name, type, or even the file itself.
We had heard that there are tools out there like Bro (if not Bro itself) that can do this.
If Bro has this capability, storage media requirements is not an issue.
Any additional information that I can glean and add to the logs could be helpful.
Thanks in advance,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro