[Bro] Extract links in SMTP
James Lay
jlay at slave-tothe-box.net
Thu Nov 7 10:39:23 PST 2013
On Nov 7, 2013, at 6:53 AM, James Lay <jlay at slave-tothe-box.net> wrote:
> Just saw the Extract files from SMTP, and I’d love to be able to extract links from SMTP as well. Many times I have to track down from my http logs a bad link that was gone to…would love to be able to just look for the link in my smtp log to find out if it was clicked on via an email. I too am still a noob at bro, so any assistance with getting something like this to go would be great…thanks all.
>
> James
>
Any chance someone can point me in the right direction with this? My goal is to add an http field in the smtp_entities file, so I won’t have to create a completely new log file. I have this code (thanks to the gent from the IRC channel):
@load base/protocols/smtp
@load base/utils
event mime_entity_data(c:connection, length: count, data:string)
{ print find_all_urls(data); }
But that’s all I got so far. I’ve spent a good portion of the morning reading the docs at:
http://www.bro.org/sphinx-beta/scripting/index.html#understanding-bro-scripts
And I’m still pretty much at the same spot I was at…completely lost :D. My understanding is that I need to create a new .bro script, and then add a redef in my in my local.bro, but that’s the extent of my knowledge at this point. Any help would really be appreciated. Thank you.
James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131107/5766d639/attachment.bin
More information about the Bro
mailing list