[Bro] Extracting Email Attachments
Bernhard Amann
bernhard at ICSI.Berkeley.EDU
Fri Mar 22 12:44:44 PDT 2013
I think it should have been /application\/.*/ instead of /application\/*/ - I think
Aashish made a small typo there. Could you try adding the missing "."? :)
Bernhard
On Mar 22, 2013, at 12:34 PM, Digital Ninja <dn1nj4 at gmail.com> wrote:
> Based on Aashish's recommendations, I added the following 4 lines to the end of my local.bro:
>
> redef SMTP::extract_file_types += /application\/*/;
> redef SMTP::extraction_prefix = "/tmp/extracted_";
> redef SMTP::extract_file = T;
> redef SMTP::calc_md5 = T;
>
> While there are attachments listed in the smtp_entities.log, they have no MD5 hashes and have not been extracted to /tmp. What am I missing?
>
>
>
> On Fri, Mar 22, 2013 at 10:32 AM, Aashish SHARMA <init.conf at gmail.com> wrote:
>
> ## define the mime types you want extracted /.*/ means everything
>
> redef SMTP::extract_file_types += /application\/*/;
>
> ## path where extracted attachments need to go:
> redef SMTP::extraction_prefix = "/data/bro/extract/smtp-entity" ;
>
>
>
> On Mar 22, 2013, at 3:49 AM, Digital Ninja <dn1nj4 at gmail.com> wrote:
>
> > Hello all,
> >
> > New bro user here. I'm trying to understand how to enable email attachment extraction with bro. I see in smtp-entities the setting "extract-file" which by default is False. What is the right way to enable it and set the directory where these attachments will reside?
> >
> > Thanks in advance!
> > Jason
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list