[Bro] Bro 2.4.1 and issue with smtp-embedded-url-bloom.bro

Aashish Sharma asharma at lbl.gov
Thu Mar 31 14:10:26 PDT 2016


Ah! I see the entires in reporter.log  

I have uploaded a revised version. This should fix the issue. 

Please try this 

https://github.com/initconf/smtp-analysis/blob/master/smtp-embedded-url-cluster.bro

Also note: 

SMTP_Link_in_EMAIL_Clicked will only partially work in the cluster setup with this policy. 

I have a clusterized version of this policy but I am not entirely satisfied with it. It syncs extracted URLs across the nodes so check against all HTTP traffic ranter than just the node which saw the smtp connection. However, there are a few corner cases I need to address. 

Aashish 

On Thu, Mar 31, 2016 at 02:43:32PM -0600, James Lay wrote:
> Unfortunately I get this when running the latest version:
> 
> 1459456959.248537 expression error in
> /usr/local/bro/share/bro/site/smtp-embedded-url-bloom.bro, line 156:
> field value missing [SMTPurl::c$smtp$from]
> 
> Thank you.
> 
> James
> 
> On 2016-03-30 18:05, Aashish Sharma wrote:
> >Hello James,
> >
> >Yes, that was caused in a very early version of the script because
> >of using
> >
> >You should try this:
> >
> >- event mime_segment_data(c: connection, length: count, data: string)
> >&priority=-5
> >+ event mime_all_data(c: connection, length: count, data: string)
> >&priority=-5
> >
> >
> >Or try this policy:
> >
> >https://github.com/initconf/smtp-analysis/blob/master/smtp-embedded-url-bloom.bro
> >
> >Aashish
> >
> >
> >
> >
> >On Wed, Mar 30, 2016 at 05:54:37PM -0600, James Lay wrote:
> >>
> >>   On Wed, 2016-03-30 at 15:04 +0000, Stephen Castellarin wrote:
> >>
> >>     Hi all,
> >>
> >>     I've set up a Bro instance to test out URL extraction from
> >>SMTP, using the
> >>     smtp-embedded-url-bloom.bro   scripts.    For  the  most
> >>part  the
> >>     extract/logging is working, but many times I'll find that
> >>the host and url
> >>     logged will be truncated.  As an example I'd see one email
> >>listed that has
> >>     20 links extracted, but one log entry would have host name
> >>as "award" with
> >>     the url as "http://award".  The remaining URLs for that
> >>email look to be
> >>     extracted correctly.
> >>
> >>     Has anyone else noticed this issue?
> >>     Thanks,
> >>
> >>     Steve
> >>
> >>_______________________________________________
> >>Bro mailing list
> >>[1]bro at bro-ids.org
> >>[2]http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>
> >>   Yep...I suspect emails that are quoted-printable emails fall
> >>victim to this:
> >>   [3]https://en.wikipedia.org/wiki/Quoted-printable
> >>   James
> >>
> >>References
> >>
> >>   1. mailto:bro at bro-ids.org
> >>   2. http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>   3. https://en.wikipedia.org/wiki/Quoted-printable
> >
> >>_______________________________________________
> >>Bro mailing list
> >>bro at bro-ids.org
> >>http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


More information about the Bro mailing list