[Bro] bro SMTP failing to parse attributes (subject, attachment) with EHLO

Gross, Brett gross.b at ghc.org
Mon May 16 11:32:55 PDT 2016 

All,

This is in relation to my other post "Support for SMTP chunking?" which originally I thought was due to switching to EHLO. That was not the case...

In summary:
"So after a long weekend of Bro, I believe I've confirm that Bro does not currently support parsing BINARYMIME/CHUNKING style connections or formatting. I was able to write a small PoC script to print the MIME record to confirm the data is present but not being parsed by SMTP base. We've resolved this by disabling the BINARYMIME and CHUNKING SMTP verbs as advertised on the SMTP server and the upstream SMTP server now connects using the traditional DATA command resulting in Bro being able to parse that traffic."


Brett
From: Gross, Brett
Sent: Friday, May 13, 2016 5:33 PM
To: 'bro at bro.org'
Subject: RE: bro SMTP failing to parse attributes (subject, attachment) with EHLO

Is it possible that during the processing of SMTP traffic that parsing is interrupted when certain conditions are meant? For example, short circuit parsing logic after seeing "starttls" as the traffic won't be readable and parsing is not applicable?

Brett

From: Gross, Brett
Sent: Friday, May 13, 2016 12:50 PM
To: 'bro at bro.org'
Subject: bro SMTP failing to parse attributes (subject, attachment) with EHLO

Hello Bro Community,

I'm having an issue with bro SMTP not parsing certain mail attributes like subject or attachment. The parsing worked correctly when utilizing HELO but after switching to EHLO, parsing is minimal for those attributes or not at all.


Thank you
Brett

________________________________

GHC Confidentiality Statement

This message and any attached files might contain confidential information protected by federal and state law. The information is intended only for the use of the individual(s) or entities originally named as addressees. The improper disclosure of such information may be subject to civil or criminal penalties. If this message reached you in error, please contact the sender and destroy this message. Disclosing, copying, forwarding, or distributing the information by unauthorized individuals or entities is strictly prohibited by law.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160516/7deeadce/attachment.html

More information about the Bro mailing list