[Bro] Bro 2.4.1 and issue with smtp-embedded-url-bloom.bro

James Lay jlay at slave-tothe-box.net
Thu Mar 31 05:11:29 PDT 2016


Thank you Aashish...that's awesome!

James

On Wed, 2016-03-30 at 17:05 -0700, Aashish Sharma wrote:

> Hello James, 
> 
> Yes, that was caused in a very early version of the script because of using 
> 
> You should try this:
> 
> - event mime_segment_data(c: connection, length: count, data: string) &priority=-5
> + event mime_all_data(c: connection, length: count, data: string) &priority=-5
> 
> 
> Or try this policy: 
> 
> https://github.com/initconf/smtp-analysis/blob/master/smtp-embedded-url-bloom.bro
> 
> Aashish 
> 
> 
> 
> 
> On Wed, Mar 30, 2016 at 05:54:37PM -0600, James Lay wrote:
> > 
> >    On Wed, 2016-03-30 at 15:04 +0000, Stephen Castellarin wrote:
> > 
> >      Hi all,
> > 
> >      I've set up a Bro instance to test out URL extraction from SMTP, using the
> >      smtp-embedded-url-bloom.bro   scripts.    For  the  most  part  the
> >      extract/logging is working, but many times I'll find that the host and url
> >      logged will be truncated.  As an example I'd see one email listed that has
> >      20 links extracted, but one log entry would have host name as "award" with
> >      the url as "http://award".  The remaining URLs for that email look to be
> >      extracted correctly.
> > 
> >      Has anyone else noticed this issue?
> >      Thanks,
> > 
> >      Steve
> > 
> > _______________________________________________
> > Bro mailing list
> > [1]bro at bro-ids.org
> > [2]http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> > 
> >    Yep...I suspect emails that are quoted-printable emails fall victim to this:
> >    [3]https://en.wikipedia.org/wiki/Quoted-printable
> >    James
> > 
> > References
> > 
> >    1. mailto:bro at bro-ids.org
> >    2. http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >    3. https://en.wikipedia.org/wiki/Quoted-printable
> 
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160331/37b00846/attachment-0001.html 


More information about the Bro mailing list