[Bro] Bro 2.4.1 and issue with smtp-embedded-url-bloom.bro
Aashish Sharma
asharma at lbl.gov
Wed Mar 30 17:05:40 PDT 2016
Hello James,
Yes, that was caused in a very early version of the script because of using
You should try this:
- event mime_segment_data(c: connection, length: count, data: string) &priority=-5
+ event mime_all_data(c: connection, length: count, data: string) &priority=-5
Or try this policy:
https://github.com/initconf/smtp-analysis/blob/master/smtp-embedded-url-bloom.bro
Aashish
On Wed, Mar 30, 2016 at 05:54:37PM -0600, James Lay wrote:
>
> On Wed, 2016-03-30 at 15:04 +0000, Stephen Castellarin wrote:
>
> Hi all,
>
> I've set up a Bro instance to test out URL extraction from SMTP, using the
> smtp-embedded-url-bloom.bro scripts. For the most part the
> extract/logging is working, but many times I'll find that the host and url
> logged will be truncated. As an example I'd see one email listed that has
> 20 links extracted, but one log entry would have host name as "award" with
> the url as "http://award". The remaining URLs for that email look to be
> extracted correctly.
>
> Has anyone else noticed this issue?
> Thanks,
>
> Steve
>
> _______________________________________________
> Bro mailing list
> [1]bro at bro-ids.org
> [2]http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> Yep...I suspect emails that are quoted-printable emails fall victim to this:
> [3]https://en.wikipedia.org/wiki/Quoted-printable
> James
>
> References
>
> 1. mailto:bro at bro-ids.org
> 2. http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 3. https://en.wikipedia.org/wiki/Quoted-printable
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list