[Bro] extract smtp objects
Seth Hall
seth at icir.org
Tue Nov 1 07:31:35 PDT 2016
> On Oct 28, 2016, at 11:25 AM, erik clark <philosnef at gmail.com> wrote:
>
> Sorry for the clutter. I did this a different way with extract from file analyzer. I will just script some glue with conn.log, smtp.log, and fuid. I had originally wanted to scrap the data out of the raw smtp message (and would still prefer to do that) with other tools entirely, so if someone has a way to do that, that would be fantastic. :)
You are hinting towards a design change that I've wanted to see for quite a while where the MIME analyzer would turn into a file analyzer and the MIME content carried over SMTP would be fed into the MIME file analyzer. This would have the nice side effect of making it simple to extract the full MIME message through the normal file extraction channels.
Unfortunately this design change hasn't happened yet and isn't slated for the near term.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list