Bro SMTP file extraction
1,088 views
Skip to first unread message
Rodney Green
Jan 29, 2014, 11:33:01 AM1/29/14
to securit...@googlegroups.com
Hello,
Has anyone gotten file extraction working for SMTP? I've tried adding the following in local.bro.
redef SMTP::extract_file_types += /application\/.*/;
redef SMTP::extraction_prefix = "/nsm/bro/extracted/smtp-item";
When I run sudo broctl check, I get the following errors.Has anyone gotten file extraction working for SMTP? I've tried adding the following in local.bro.
redef SMTP::extract_file_types += /application\/.*/;
redef SMTP::extraction_prefix = "/nsm/bro/extracted/smtp-item";
error in /opt/bro/share/bro/site/local.bro, line 90: "redef" used but not previously defined (SMTP::extract_file_types)
error in /opt/bro/share/bro/site/local.bro, line 91: "redef" used but not previously defined (SMTP::extraction_prefix)
Thanks,
Rod
Liam Randall
Jan 29, 2014, 12:45:39 PM1/29/14
to securit...@googlegroups.com
On Bro 2.2 the syntax has changed. You no longer extract files by
protocol; there is a new protocol agnostic files framework.
Overview:
http://youtu.be/c4TDgJQeY0M
Exercises with script samples:
http://www.bro.org/bro-exchange-2013/exercises/faf.html
> --
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
protocol; there is a new protocol agnostic files framework.
Overview:
http://youtu.be/c4TDgJQeY0M
Exercises with script samples:
http://www.bro.org/bro-exchange-2013/exercises/faf.html
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
Rod
Jan 29, 2014, 1:35:27 PM1/29/14
to securit...@googlegroups.com, li...@bro.org
Thanks, Liam. I'll check those resources out.
Magicvinodh kumar
Jun 12, 2014, 10:30:31 AM6/12/14
to securit...@googlegroups.com
Hi
I could find
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
["text/plain"] = "txt",
......
{
if ( ! f?$mime_type || f$mime_type != "application/x-dosexec" )
return;
i can get files only with particular value "application/x-dosexec"
How can i get files that starts with application/*
Any suggestions please.
Best Regards,
Vinodh Kumar Balaraman
Doug Burks
Jun 13, 2014, 7:21:50 AM6/13/14
to securit...@googlegroups.com
Hi Vinodh,
How about something like this?
if ( ! f?$mime_type || /application/ !in f$mime_type )
return;
--
Doug Burks
How about something like this?
if ( ! f?$mime_type || /application/ !in f$mime_type )
return;
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
--
Doug Burks
Reply all
Reply to author
Forward
0 new messages