[Bro] SMTP attachments and files from other ports/protocols
seth at icir.org
Thu Jul 9 19:27:50 PDT 2015
> On Jul 9, 2015, at 3:42 PM, Sanner, Daniel A <daniel.sanner at pnnl.gov> wrote:
> Right now, the best I can figure is that the SMTP log is just a copy of e-mail headers and nothing more.
It’s more than that, it has information from the SMTP protocol, information from the MIME message itself, derived information from the mime headers (see the “path” field), and it has a link to file IDs for any “files” transferred over the smtp transaction. You can look up more information about the files in files.log.
> The files.log only has MD5 and/or SHA1 hashes, but no details about file name, type, or even the file itself.
files.log does actually contain a file name when the protocol itself clearly indicates a name for the file being transferred (refer to the content-disposition header in http for one example). It also has a mime type that it derives from examining the content of the file with signatures. If you would like to extract files, you can certainly do that but you frequently need to choose when you want to extract files because you don’t normally want to extract all files.
> We had heard that there are tools out there like Bro (if not Bro itself) that can do this.
> If Bro has this capability, storage media requirements is not an issue.
If that’s really true and you have infinite storage space...
This in a Bro script...
Or this at the command line...
bro -r mytraffic.pcap frameworks/files/extract-all-files
You will get a lot of files if you load that script. :)
International Computer Science Institute
(Bro) because everyone has a network
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150709/8b2ff943/attachment.bin
More information about the Bro