[Bro] spam mail message collector
Hosom, Stephen M
hosom at battelle.org
Wed Aug 19 05:17:56 PDT 2015
You could just use file extraction. This will extract many files for multipart messages.
Try: https://github.com/hosom/bro-file-extraction
Add a file and load it that does the following hook:
hook FileExtraction::extract(f: fa_file, meta: fa_metadata) &priority=10
{
if ( f$source == “SMTP” )
break;
}
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Hyun Yoo
Sent: Tuesday, August 18, 2015 5:49 PM
To: bro at bro.org
Subject: [Bro] spam mail message collector
Hello Bro. I am new to bro.
I think my task is more suitable to Bro than other NIDS.
There is a list of spammer email addresses and
I want to save the email subject and whole message of them.
(reassembled payload of tcp segments)
I tried a few events like log_smtp, tcp_contents but couldn't save the whole stream.
Can anybody guide me to the right way, please?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150819/e81365da/attachment.html
More information about the Bro
mailing list