[Bro] EML file extraction

[Brian OBerry]

Hello,

I don’t see a way to extract an EML file using the current smtp and mime protocol analyzers.  Past queries on the mail lists don’t seem to be resolved.  The smtp analyzer supports file analysis through the mime analyzer, which presents decoded content.  Has anyone already found a way to extract the entire un-decoded SMTP DATA message text?

I wrote a prototype script module with an smtp_data event handler that creates a “<c$uid>.<c$smtp_state$messages_transferred>.eml” file for each message, using the open/write_file/close functions.  The file contents look like what’s needed, except that the crlf line terminators are removed.  I don’t know if that’s a side-effect of using the file functions, or if they’re removed by the smtp analyzer.  I played with the enable_raw_output() function and the &raw_output attribute to no avail, so I suspect the latter.

I haven’t gone further than that because I’m heading towards developing a plugin to get this capability.  I haven’t settled on how best to do that, so any suggestions will be much appreciated.  My initial thought is to extend class SMTP_Analyzer to add file analysis for the SMTP_IN_DATA state, unless someone points out a simpler/better approach.

I’d really like to contribute whatever comes out of this if it satisfies a general need.

Thanks,

Brian


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180626/2ef0a9f6/attachment.html