[Bro] Detecting multiple Email attachments
bro at pingtrip.com
Thu Jan 5 09:50:40 PST 2017
I’m looking to generate a notice when an email has both a PDF and Excel document attached and wanted a sanity check on a solution before I started coding
First, create a lookup table to track file mime-types over a period of time. Something like:
global fuid_mime_state: table[string] of string &create_expire=2min &expire_func=fuid_out;
Second, on “file_state_remove" events (where the source is SMTP) add the details to the tracking table. Something like:
fuid_mime_state[f$id] = f$info$mime_type
And finally, on "SMTP::log_smtp" events loop through the rec?fuids vector and look them up in the fuid_mime_state table to see if both a PDF and Excel doc are attached.
Does this approach make sense, or am I overlooking an easier solution?
More information about the Bro