[Bro] Error when extracting URLs from email traffic
Josh Liburdi
liburdi.joshua at gmail.com
Tue Jul 8 10:02:01 PDT 2014
Actually, nevermind. fmt() will accept either version if you are
passing data into it. I copied your script and removed some elements
(const mail_servers, logic checks for SMTP and mail_servers) and it
processed correctly.
-Josh
On Tue, Jul 8, 2014 at 12:52 PM, Josh Liburdi <liburdi.joshua at gmail.com> wrote:
> I think your error might be a simple one ... fmt() should use this
> syntx: print fmt("%s",url);
>
> -Josh
>
> On Tue, Jul 8, 2014 at 12:43 PM, Derek Banks <itsecderek at gmail.com> wrote:
>> Hello Bro list,
>> I am attempting to write a script to extract URLs from SMTP. The script
>> below is my starting point and it seems to work pretty well except that I am
>> getting an error occasionally on some of the connections. The end goal
>> (and I am a ways away atm) is to eventually get the URLs fed into the intel
>> framework to attempt to alert on potential spearphishing.
>>
>> Script:
>> @load base/frameworks/intel
>> @load base/utils/urls
>> @load ./where-locations.bro
>>
>> event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
>> {
>> const mail_servers = { 192.168.50.72, 192.168.50.75 };
>>
>> if ( c$id$orig_h !in mail_servers )
>> return;
>> if ( ! f?$conns )
>> return;
>> if ( f$source != "SMTP" )
>> return;
>>
>> if ( ! f?$bof_buffer )
>> return;
>>
>> for ( cid in f$conns )
>> {
>> local urls = find_all_urls_without_scheme(f$bof_buffer);
>> for ( url in urls )
>> {
>>
>> print fmt(url);
>>
>> }
>> }
>> }
>>
>> The error is:
>> 1404827445.346519 error in ./extract_urls_in_email_v1.bro, line 38: too few
>> arguments for format (fmt(url) and <redacted URL>
>>
>>
>> Does anyone know what might be causing this error?
>>
>> Best Regards,
>> Derek
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list