[Bro] Significant slow for smtp traffic
Seth Hall
seth at corelight.com
Wed Mar 22 06:28:51 PDT 2017
> On Mar 22, 2017, at 7:48 AM, duhang <darkheaven1983 at gmail.com> wrote:
>
> Just find out that it is event smtp_data which causes the slowness. What's the suggested event to capture smtp body and save it as eml file?
Using the file analysis framework is the best way. Are you just trying to save the box from any body transferred over SMTP or is there some particular things you’re looking for? Regardless, the event you’ll want to use is probably file_sniff. Something like this...
event file_sniff(f: fa_file, meta: fa_metadata)
{
if ( f$source == “SMTP" )
{
Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
}
}
.Seth
--
Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com
More information about the Bro
mailing list