[Bro] How to extract data to a eml file from smtp traffic

Robert_Yang at trendmicro.com.cn Robert_Yang at trendmicro.com.cn
Thu Jul 24 18:17:41 PDT 2014 

Hi Seth,

Thanks for your rapidly reply! 

Actually, I want to catch the whole message indeed as you mentioned. In my environment, I try to send a eml file as payload of DATA command, then catch it by bro and compare with the original eml file.

You mention that " Eventually I think things will be changing with the SMTP analyzer where the whole message is passed as a file", so I try to catch the data in smtp_data event in files.bro. And finally I can get the original of mail's content indeed. 

About data size, I double check my data and find out root cause. The original eml file is 23831 byte as windows EOL format. The captured data is saved as UNIX EOL format, so it is a little bigger. After fixed this issue, the captured data is equal with the original eml file. The bro is very great!

Robert Yang

-----Original Message-----
From: Seth Hall [mailto:seth at icir.org] 
Sent: 2014Äê7ÔÂ24ÈÕ 21:41
To: Robert Yang (RD-CN)
Cc: bro at bro.org
Subject: Re: [Bro] How to extract data to a eml file from smtp traffic


On Jul 24, 2014, at 2:45 AM, Robert_Yang at trendmicro.com.cn wrote:

> I want to extract the whole data to a eml file from smtp traffic. And the system event ¨C file_new() only save every mime entity of an email as a file instead of the whole email. This is not I want.

I'm going to assume you're saying that you want the entire SMTP data transaction.  I don't actually know what microsoft does for their eml format but it sounds like you're just describing a full mime transfer.

Eventually I think things will be changing with the SMTP analyzer where the whole message is passed as a file and the MIME analyzer will be separated as a file analyzer (it's directly integrated into the smtp analyzer right now).  This will make it possible to get the whole message if you want it, but you'll also be able to have Bro extract and analyze all of the mime entities separately too.

> I print size of every data. The amount of every data size is always less than actually size the eml file ( 23137 Byte < 23831 Byte). So what I miss? And how to save data to file in smtp_data event?

Could you send along a trace file where you are having this problem?

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/


TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

More information about the Bro mailing list