[Bro] Bro 2.4.1 and issue with smtp-embedded-url-bloom.bro
James Lay
jlay at slave-tothe-box.net
Wed Mar 30 16:54:37 PDT 2016
On Wed, 2016-03-30 at 15:04 +0000, Stephen Castellarin wrote:
> Hi all,
>
>
> I've set up a Bro instance to test out URL extraction from SMTP, using
> the smtp-embedded-url-bloom.bro scripts. For the most part the
> extract/logging is working, but many times I'll find that the host and
> url logged will be truncated. As an example I'd see one email listed
> that has 20 links extracted, but one log entry would have host name as
> "award" with the url as "http://award". The remaining URLs for that
> email look to be extracted correctly.
>
>
> Has anyone else noticed this issue?
>
> Thanks,
> Steve
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
Yep...I suspect emails that are quoted-printable emails fall victim to
this:
https://en.wikipedia.org/wiki/Quoted-printable
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160330/d283c4d6/attachment.html
More information about the Bro
mailing list