[Bro] Quick smtp-url-extraction question
Seth Hall
seth at icir.org
Thu Aug 7 10:26:28 PDT 2014
On Aug 7, 2014, at 12:26 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> sudo bro -C -r ../captures/email.pcapng
> /usr/local/bro/share/bro/policy/frameworks/intel/seen/smtp-url-extraction.bro
Ah! Perhaps a poorly named script. That's only extracting the URLs and feeding them into the intel framework.
Would you like a script that extracts and logs them? I ran one of those in production before, it was useful to be able to see what links were flying around for sure.
I'm thinking for fields we could have...
ts
uid
fuid
trans_depth
link
That should provide enough information to link back to the connection it happened over and which "file" (or body content since they're effectively the same in smtp) it was seen within.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140807/b5239d3c/attachment.bin
More information about the Bro
mailing list