[Bro] Support for SMTP chunking?

Gross, Brett gross.b at ghc.org
Mon May 16 11:31:14 PDT 2016


So after a long weekend of Bro, I believe I've confirm that Bro does not currently support parsing BINARYMIME/CHUNKING style connections or formatting. I was able to write a small PoC script to print the MIME record to confirm the data is present but not being parsed by SMTP base. We've resolved this by disabling the BINARYMIME and CHUNKING SMTP verbs as advertised on the SMTP server and the upstream SMTP server now connects using the traditional DATA command resulting in Bro being able to parse that traffic.


From: Gross, Brett
Sent: Sunday, May 15, 2016 12:43 PM
To: bro at bro.org
Subject: Support for SMTP chunking?

Do the Bro analyzers support SMTP "chunking" verb/command?


GHC Confidentiality Statement

This message and any attached files might contain confidential information protected by federal and state law. The information is intended only for the use of the individual(s) or entities originally named as addressees. The improper disclosure of such information may be subject to civil or criminal penalties. If this message reached you in error, please contact the sender and destroy this message. Disclosing, copying, forwarding, or distributing the information by unauthorized individuals or entities is strictly prohibited by law.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160516/f107606c/attachment.html 

More information about the Bro mailing list