[Bro] Extract files from SMTP
Liam Randall
liam at broala.com
Thu Nov 7 06:00:10 PST 2013
Hey Derek,
Attached is a script to dump "All files" out to disk; you would want to
modify that and check to see if they are "SMTP" first.
The documentation here should have enough examples to get you started:
http://www.bro.org/sphinx-git/frameworks/file-analysis.html
Hope all is well buddy.
Thanks,
Liam Randall
On Thu, Nov 7, 2013 at 8:01 AM, Derek Banks <itsecderek at gmail.com> wrote:
> Hello All,
>
> I've been using bro now for a good few months and I still feel like a
> complete noob. I need to extract out mime types in smtp traffic - I am
> looking to extract docx files from our last few weeks of pcaps to then go
> check for embedded TIFF files (latest 0 day out on MS apps). Time is not
> on my side at the moment - management is bothered about this one for some
> reason.
>
> I am running from git master and cannot seem to figure out how the new
> file handling works. Has anyone done something like this recently after
> the file handling change and would be willing to share?
>
> Once I get the docx files extracted my intent was to use yara to look for
> tiffs then foremost to carve any out.
>
> Regards,
> Derek
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Liam Randall
Managing Partner
510-281-0760
www.Broala.com <http://www.broala.com/>
>From the creators of Bro <http://www.bro.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131107/ec4e7fad/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: extract-all-files.bro
Type: application/octet-stream
Size: 82 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131107/ec4e7fad/attachment.obj
More information about the Bro
mailing list