[Bro] Quick smtp-url-extraction question

Josh Liburdi liburdi.joshua at gmail.com
Thu Aug 14 09:06:35 PDT 2014 

Aashish,

I'm curious why you suggested only using the bloom filter version of
this script in Bro 2.3-- is there a reason one wouldn't want to use it
in Bro 2.2?

Josh

On Thu, Aug 14, 2014 at 7:30 AM, Aashish Sharma <asharma at lbl.gov> wrote:
> OK. Here is smtp-url-extraction scripts attached with this email. I apologize for the delays in sending.
>
> These scripts have been running for >  1 1/2 years so I can say they are fairly stable and should not cause any issues.
>
> 1) Please configure site.bro (attached) as per your site specifics and add it to your site/local.bro file.
>
> 2) If you are running bro-2.2 or below please use: smtp-url-extraction.bro
>
> 3) if you are running bro-2.3, use smtp-url-extraction-bloom.bro - it uses bloom filters to check against URL's in the http stream. So its less taxing on memory compared to (2).
>
> This script should log urls embedded in smtp traffic into a file called smtpurl_links.log. Also there are configuration variables such as suspicious_text_in_url, suspicious_text_in_body etc. You can look into smtp-embedded-url.bro (and -bloom.bro) to see kinds of notices it would generate.
>
> This script is part of a bigger smtp suite. I will try to collect other scripts and send those out as well.
>
> Please let me know if you have any questions or have issues running these scripts.
>
> Thanks,
> Aashish
> LBNL
>
> On Thu, Aug 14, 2014 at 01:51:30PM +0000, Hosom, Stephen M wrote:
>>
>>    All,
>>
>>
>>    I submitted a pull request last week for this. You could technically grab
>>    the script and run it. Since I’m not part of the Bro team though, I can’t
>>    promise that this will continue to work.
>>
>>
>>    [1]https://github.com/bro/bro/pull/10
>>
>>
>>    I run a variation of this script in my production environment right now.
>>    Keep  in mind that it is normally a bad plan to extend an internal Bro
>>    module. Since there’s a pretty high demand for it, if you’d like to modify
>>    this  to not extend the internal SMTP modules and be separate, it is a
>>    relatively short task (about 15 minutes).
>>
>>
>>    Lastly, this is provided as-is with no warranty, etc. etc.
>>
>>
>>    Thanks,
>>
>>    Stephen
>>
>>
>>    From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Lankau,
>>    John
>>    Sent: Thursday, August 14, 2014 8:58 AM
>>    To: James Lay; bro at bro-ids.org
>>    Subject: Re: [Bro] Quick smtp-url-extraction question
>>
>>
>>    Seth,
>>
>>
>>    +100
>>
>>
>>    I just wanted to add that I think that script that logs SMTP URLs would get
>>    a lot of use in our environment as well.  It’s been an elusive data point,
>>    but  one  we  really would like to have.  We’ve been having high-level
>>    discussions on how to implement something that does this exact process in
>>    our office, so I’d be very interested in using this script once it’s ready
>>    as well.
>>
>>
>>    Thanks!
>>
>>    --John
>>
>>
>>    From: [2]bro-bounces at bro.org [[3]mailto:bro-bounces at bro.org] On Behalf Of
>>    James Lay
>>    Sent: Thursday, August 07, 2014 7:50 PM
>>    To: [4]bro at bro-ids.org
>>    Subject: Re: [Bro] Quick smtp-url-extraction question
>>
>>
>>    On Thu, 2014-08-07 at 13:39 -0400, Seth Hall wrote:
>>
>> On Aug 7, 2014, at 1:30 PM, James Lay <[5]jlay at slave-tothe-box.net> wrote:
>>
>> > I would absolutely love a script that would log urls....we all know that quot
>> ed-printable and bas364 shenanigans may get missed
>>
>> Much of that should be handled automatically by the mime analyzer (I'm not sure
>>  of the limits of that offhand).
>>
>> > , but every little bit helps..thanks a bunch Seth.
>>
>> I'll see if I can get to it soon.
>>
>>   .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> [6]http://www.bro.org/
>>
>>
>>    Thanks again Seth.
>>    James
>>
>> References
>>
>>    1. https://github.com/bro/bro/pull/10
>>    2. mailto:bro-bounces at bro.org
>>    3. mailto:bro-bounces at bro.org
>>    4. mailto:bro at bro-ids.org
>>    5. mailto:jlay at slave-tothe-box.net
>>    6. http://www.bro.org/
>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> --
> Aashish Sharma  (asharma at lbl.gov)
> Cyber Security,
> Lawrence Berkeley National Laboratory
> http://go.lbl.gov/pgp-aashish
> Office: (510)-495-2680  Cell: (510)-612-7971
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list