[Bro] Links in SMTP round 2

Fri Nov 8 08:34:51 PST 2013

On Nov 8, 2013, at 9:31 AM, Justin Azoff <JAzoff at albany.edu> wrote:

> On Fri, Nov 08, 2013 at 08:57:38AM -0700, James Lay wrote:
>> Thanks a BUNCH Justin…this helps.  As I’m looking at this, I think what I’m hoping for, is something like:
>> 
>> "if the smtp message stream contains http, then log the link to smtp_http.log, otherwise don’t log anything about the stream to smtp_http.log"
>> 
>> Something I’m stumbling on is…how do I specify the smtp stream, and how do I find out if it contains http ( looking at the bro cheat sheet I don’t see “=~” ).  Again, thanks so much Justin…I think I’m getting closer.
>> 
>> James
> 
> You pasted how to do this in your first message:
> 
> event mime_entity_data(c:connection, length: count, data:string)                                                                                                                                           
>        { print find_all_urls(data); }                                                                                                                                                                     
> 
> The only tricky part is find_all_urls would return a vector so your log
> field needs to be a 'vector of string' and not just a 'string'
> 
> 
> 
> -- 
> -- Justin Azoff
> -- Network Security & Performance Analyst

Awesome…thank you much Justin.

James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131108/d49a27e9/attachment.bin 