[Bro] SMTP Data Fragmentation Problems

[Trevor Taubitz]

So I'm having an odd problem that I can't seem to find any documentation
on. I'm trying to use Bro to do some stuff with email monitoring, but I'm
having some issues when it comes to data fragmentation. The test setup that
I have is three servers: one DNS server for MX resolution, a sending SMTP
server/client, and a receiving SMTP server with Bro running on it. The Bro
server is using the default configuration. I'm sending emails to the
receiving server, and they are showing up in the test user's mail just
fine. Most of the time, Bro picks up this traffic no problem and puts the
necessary log entries into smtp.log and files.log. The problem is that any
time I try sending a large attachment (which amounts to any time that the
SMTP data field needs to be fragmented across multiple packets), Bro
doesn't seem to be picking it up. It will catch extremely small
attachments, but won't even log emails that have to fragment. Is there any
insight someone could give me about this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160810/4e5cb2bc/attachment.html