[Bro] Extracting Email Attachments

Bernhard Amann bernhard at ICSI.Berkeley.EDU
Fri Mar 22 12:44:44 PDT 2013


I think it should have been /application\/.*/ instead of /application\/*/ - I think
Aashish made a small typo there. Could you try adding the missing "."? :)

Bernhard

On Mar 22, 2013, at 12:34 PM, Digital Ninja <dn1nj4 at gmail.com> wrote:

> Based on Aashish's recommendations, I added the following 4 lines to the end of my local.bro: 
> 
> redef SMTP::extract_file_types += /application\/*/;
> redef SMTP::extraction_prefix = "/tmp/extracted_";
> redef SMTP::extract_file = T;
> redef SMTP::calc_md5 = T;
> 
> While there are attachments listed in the smtp_entities.log, they have no MD5 hashes and have not been extracted to /tmp.  What am I missing?
> 
> 
> 
> On Fri, Mar 22, 2013 at 10:32 AM, Aashish SHARMA <init.conf at gmail.com> wrote:
> 
> ## define the mime types you want extracted /.*/ means everything
> 
> redef SMTP::extract_file_types += /application\/*/;
> 
> ## path where extracted attachments need to go:
> redef SMTP::extraction_prefix = "/data/bro/extract/smtp-entity" ;
> 
> 
> 
> On Mar 22, 2013, at 3:49 AM, Digital Ninja <dn1nj4 at gmail.com> wrote:
> 
> > Hello all,
> >
> > New bro user here.  I'm trying to understand how to enable email attachment extraction with bro.  I see in smtp-entities the setting "extract-file" which by default is False.  What is the right way to enable it and set the directory where these attachments will reside?
> >
> > Thanks in advance!
> > Jason
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro





More information about the Bro mailing list