[Bro] Quick smtp-url-extraction question
James Lay
jlay at slave-tothe-box.net
Thu Aug 7 10:30:49 PDT 2014
On 2014-08-07 11:26, Seth Hall wrote:
> On Aug 7, 2014, at 12:26 PM, James Lay <jlay at slave-tothe-box.net>
> wrote:
>
>> sudo bro -C -r ../captures/email.pcapng
>>
>> /usr/local/bro/share/bro/policy/frameworks/intel/seen/smtp-url-extraction.bro
>
> Ah! Perhaps a poorly named script. That's only extracting the URLs
> and feeding them into the intel framework.
>
> Would you like a script that extracts and logs them? I ran one of
> those in production before, it was useful to be able to see what
> links
> were flying around for sure.
>
> I'm thinking for fields we could have...
>
> ts
> uid
> fuid
> trans_depth
> link
>
> That should provide enough information to link back to the connection
> it happened over and which "file" (or body content since they're
> effectively the same in smtp) it was seen within.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
I would absolutely love a script that would log urls....we all know
that quoted-printable and bas364 shenanigans may get missed, but every
little bit helps..thanks a bunch Seth.
James
More information about the Bro
mailing list