[Bro] Extracting Email Attachments
Digital Ninja
dn1nj4 at gmail.com
Fri Mar 22 13:08:53 PDT 2013
So apparently I was incorrect in thinking that local.bro was loading
automatically when running bro from the command line. Including the
local.bro policy successfully extracted the attachments.
What it also told me was that these two lines:
redef SMTP::extract_file = T;
redef SMTP::calc_md5 = T;
Are not valid. But poking around a little bit in entities.bro I found the
generate_md5 mime-types and redefined that in the local.bro file.
Thanks for the help all!
On Fri, Mar 22, 2013 at 3:59 PM, Digital Ninja <dn1nj4 at gmail.com> wrote:
> I tried both:
> redef SMTP::extract_file_types += /application\/.*/;
> and
> redef SMTP::extract_file_types += /.*/;
>
> But still end up with no attachments in /tmp, nor MD5s in the
> smtp_entities.log.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130322/f745c780/attachment.html
More information about the Bro
mailing list