Hello Bro Community,
I’m having an issue with bro SMTP not parsing certain mail attributes like subject or attachment. The parsing worked correctly when utilizing HELO but after switching to EHLO, parsing is minimal for those attributes or not at all.
Thank you
Brett
Is it possible that during the processing of SMTP traffic that parsing is interrupted when certain conditions are meant? For example, short circuit parsing logic after seeing “starttls” as the traffic won’t be readable and parsing is not applicable?
Brett
All,
This is in relation to my other post “Support for SMTP chunking?” which originally I thought was due to switching to EHLO. That was not the case…
In summary:
“So after a long weekend of Bro, I believe I’ve confirm that Bro does not currently support parsing BINARYMIME/CHUNKING style connections or formatting. I was able to write a small PoC script to print the MIME record to confirm the data is present but not being parsed by SMTP base. We’ve resolved this by disabling the BINARYMIME and CHUNKING SMTP verbs as advertised on the SMTP server and the upstream SMTP server now connects using the traditional DATA command resulting in Bro being able to parse that traffic.”
Brett