[Bro] Quick smtp-url-extraction question

Hosom, Stephen M hosom at battelle.org
Thu Aug 14 06:51:30 PDT 2014 

All,

I submitted a pull request last week for this. You could technically grab the script and run it. Since I’m not part of the Bro team though, I can’t promise that this will continue to work.

https://github.com/bro/bro/pull/10

I run a variation of this script in my production environment right now. Keep in mind that it is normally a bad plan to extend an internal Bro module. Since there’s a pretty high demand for it, if you’d like to modify this to not extend the internal SMTP modules and be separate, it is a relatively short task (about 15 minutes).

Lastly, this is provided as-is with no warranty, etc. etc.

Thanks,

Stephen

From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Lankau, John
Sent: Thursday, August 14, 2014 8:58 AM
To: James Lay; bro at bro-ids.org
Subject: Re: [Bro] Quick smtp-url-extraction question

Seth,

+100

I just wanted to add that I think that script that logs SMTP URLs would get a lot of use in our environment as well.  It’s been an elusive data point, but one we really would like to have.  We’ve been having high-level discussions on how to implement something that does this exact process in our office, so I’d be very interested in using this script once it’s ready as well.

Thanks!
--John

From: bro-bounces at bro.org<mailto:bro-bounces at bro.org> [mailto:bro-bounces at bro.org] On Behalf Of James Lay
Sent: Thursday, August 07, 2014 7:50 PM
To: bro at bro-ids.org<mailto:bro at bro-ids.org>
Subject: Re: [Bro] Quick smtp-url-extraction question

On Thu, 2014-08-07 at 13:39 -0400, Seth Hall wrote:



On Aug 7, 2014, at 1:30 PM, James Lay <jlay at slave-tothe-box.net<mailto:jlay at slave-tothe-box.net>> wrote:



> I would absolutely love a script that would log urls....we all know that quoted-printable and bas364 shenanigans may get missed



Much of that should be handled automatically by the mime analyzer (I'm not sure of the limits of that offhand).



> , but every little bit helps..thanks a bunch Seth.



I'll see if I can get to it soon.



  .Seth



--

Seth Hall

International Computer Science Institute

(Bro) because everyone has a network

http://www.bro.org/



Thanks again Seth.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140814/4995f29b/attachment.html

More information about the Bro mailing list