[Bro] Bro 2.4.1 and issue with smtp-embedded-url-bloom.bro
James Lay
jlay at slave-tothe-box.net
Thu Mar 31 05:11:29 PDT 2016
Thank you Aashish...that's awesome!
James
On Wed, 2016-03-30 at 17:05 -0700, Aashish Sharma wrote:
> Hello James,
>
> Yes, that was caused in a very early version of the script because of using
>
> You should try this:
>
> - event mime_segment_data(c: connection, length: count, data: string) &priority=-5
> + event mime_all_data(c: connection, length: count, data: string) &priority=-5
>
>
> Or try this policy:
>
> https://github.com/initconf/smtp-analysis/blob/master/smtp-embedded-url-bloom.bro
>
> Aashish
>
>
>
>
> On Wed, Mar 30, 2016 at 05:54:37PM -0600, James Lay wrote:
> >
> > On Wed, 2016-03-30 at 15:04 +0000, Stephen Castellarin wrote:
> >
> > Hi all,
> >
> > I've set up a Bro instance to test out URL extraction from SMTP, using the
> > smtp-embedded-url-bloom.bro scripts. For the most part the
> > extract/logging is working, but many times I'll find that the host and url
> > logged will be truncated. As an example I'd see one email listed that has
> > 20 links extracted, but one log entry would have host name as "award" with
> > the url as "http://award". The remaining URLs for that email look to be
> > extracted correctly.
> >
> > Has anyone else noticed this issue?
> > Thanks,
> >
> > Steve
> >
> > _______________________________________________
> > Bro mailing list
> > [1]bro at bro-ids.org
> > [2]http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> > Yep...I suspect emails that are quoted-printable emails fall victim to this:
> > [3]https://en.wikipedia.org/wiki/Quoted-printable
> > James
> >
> > References
> >
> > 1. mailto:bro at bro-ids.org
> > 2. http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> > 3. https://en.wikipedia.org/wiki/Quoted-printable
>
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160331/37b00846/attachment-0001.html
More information about the Bro
mailing list