[Bro] Bro 2.4.1 and issue with smtp-embedded-url-bloom.bro

James Lay jlay at slave-tothe-box.net
Thu Mar 31 13:43:32 PDT 2016 

Unfortunately I get this when running the latest version:

1459456959.248537 expression error in 
/usr/local/bro/share/bro/site/smtp-embedded-url-bloom.bro, line 156: 
field value missing [SMTPurl::c$smtp$from]

Thank you.

James

On 2016-03-30 18:05, Aashish Sharma wrote:
> Hello James,
> 
> Yes, that was caused in a very early version of the script because of 
> using
> 
> You should try this:
> 
> - event mime_segment_data(c: connection, length: count, data: string)
> &priority=-5
> + event mime_all_data(c: connection, length: count, data: string) 
> &priority=-5
> 
> 
> Or try this policy:
> 
> https://github.com/initconf/smtp-analysis/blob/master/smtp-embedded-url-bloom.bro
> 
> Aashish
> 
> 
> 
> 
> On Wed, Mar 30, 2016 at 05:54:37PM -0600, James Lay wrote:
>> 
>>    On Wed, 2016-03-30 at 15:04 +0000, Stephen Castellarin wrote:
>> 
>>      Hi all,
>> 
>>      I've set up a Bro instance to test out URL extraction from SMTP, 
>> using the
>>      smtp-embedded-url-bloom.bro   scripts.    For  the  most  part  
>> the
>>      extract/logging is working, but many times I'll find that the 
>> host and url
>>      logged will be truncated.  As an example I'd see one email listed 
>> that has
>>      20 links extracted, but one log entry would have host name as 
>> "award" with
>>      the url as "http://award".  The remaining URLs for that email 
>> look to be
>>      extracted correctly.
>> 
>>      Has anyone else noticed this issue?
>>      Thanks,
>> 
>>      Steve
>> 
>> _______________________________________________
>> Bro mailing list
>> [1]bro at bro-ids.org
>> [2]http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> 
>>    Yep...I suspect emails that are quoted-printable emails fall victim 
>> to this:
>>    [3]https://en.wikipedia.org/wiki/Quoted-printable
>>    James
>> 
>> References
>> 
>>    1. mailto:bro at bro-ids.org
>>    2. http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>    3. https://en.wikipedia.org/wiki/Quoted-printable
> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list