[Bro-Dev] [JIRA] (BIT-1051) smtp-url-extraction.bro misses/truncates urls between data chunks

[Seth Hall (JIRA)]

    [ https://bro-tracker.atlassian.net/browse/BIT-1051?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14603#comment-14603 ] 

Seth Hall commented on BIT-1051:
--------------------------------

That's a known limitation.  The plan at the moment is to create a file analyzer that let's you extract with a regular expression.  Internally it would be provided as a stream so the chunking issue will go away.  What in place now is a hack unfortunately.

> smtp-url-extraction.bro misses/truncates urls between data chunks
> -----------------------------------------------------------------
>
>                 Key: BIT-1051
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1051
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Brian Little
>            Priority: Low
>
> Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, [$stream_event=intel_mime_data]);
> event intel_mime_data(f: fa_file, data: string) {}
> I think the file analysis framework sends the data through to the intel_mime_data event in sections (appears that way from adding print debugging). The cutting point between the data sections can fall in the middle of an url, causing the regex to miss the url, or truncate it.
> What would be the recommended way around for this? (and other usage of file analysis framework)



--
This message was sent by Atlassian JIRA
(v6.2-OD-01#6204)