[Bro] Links in SMTP round 2
Justin Azoff
JAzoff at albany.edu
Fri Nov 8 08:31:30 PST 2013
On Fri, Nov 08, 2013 at 08:57:38AM -0700, James Lay wrote:
> Thanks a BUNCH Justin…this helps. As I’m looking at this, I think what I’m hoping for, is something like:
>
> "if the smtp message stream contains http, then log the link to smtp_http.log, otherwise don’t log anything about the stream to smtp_http.log"
>
> Something I’m stumbling on is…how do I specify the smtp stream, and how do I find out if it contains http ( looking at the bro cheat sheet I don’t see “=~” ). Again, thanks so much Justin…I think I’m getting closer.
>
> James
You pasted how to do this in your first message:
event mime_entity_data(c:connection, length: count, data:string)
{ print find_all_urls(data); }
The only tricky part is find_all_urls would return a vector so your log
field needs to be a 'vector of string' and not just a 'string'
--
-- Justin Azoff
-- Network Security & Performance Analyst
More information about the Bro
mailing list