[Bro] How to extract data to a eml file from smtp traffic

[Seth Hall]

On Jul 24, 2014, at 2:45 AM, Robert_Yang at trendmicro.com.cn wrote:

> I want to extract the whole data to a eml file from smtp traffic. And the system event – file_new() only save every mime entity of an email as a file instead of the whole email. This is not I want.

I'm going to assume you're saying that you want the entire SMTP data transaction.  I don't actually know what microsoft does for their eml format but it sounds like you're just describing a full mime transfer.

Eventually I think things will be changing with the SMTP analyzer where the whole message is passed as a file and the MIME analyzer will be separated as a file analyzer (it's directly integrated into the smtp analyzer right now).  This will make it possible to get the whole message if you want it, but you'll also be able to have Bro extract and analyze all of the mime entities separately too.

> I print size of every data. The amount of every data size is always less than actually size the eml file ( 23137 Byte < 23831 Byte). So what I miss? And how to save data to file in smtp_data event?

Could you send along a trace file where you are having this problem?

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140724/20f1c5f5/attachment.bin