Hello all,
I tried to do file analysis over the POP3 protocol via the file analysis framework.
Following the https://docs.zeek.org/en/lts/frameworks/file-analysis.html, I first tested if it can trigger event file_sniff and file_hash, the script are simply copied from the doc (https://docs.zeek.org/en/lts/frameworks/file-analysis.html#id2) as:
event file_sniff(f: fa_file, meta: fa_metadata)
{
if ( ! meta?$mime_type ) return;
print "new file", f$id;
if ( meta$mime_type == "text/plain" )
Files::add_analyzer(f, Files::ANALYZER_MD5);
}
event file_hash(f: fa_file, kind: string, hash: string)
{
print "file_hash", f$id, kind, hash;
}
I tested the above script on https://try.zeek.org/, with a test pop3 pcap file from https://github.com/luguifang/protocol-pcap/blob/master/pop3-attachment-didi.pcap. The pcap file contains a pdf file attachment.
However, when I ran the script on the pcap file, the result shows it didn't detect any files, the files and active files of the stat.log are both 0. It seems to me that the events didn't trigger at all.
But if I tried the same script with some other pcap files, for example, the https://try.zeek.org/ also provides a http.pcap for exercise, the script outputs are as expected.
So I wonder what I did wrong or currently the fa framework doesn't support analyzing over pop3 at all?
The zeek I tested is lts 4.0.0 version, thanks for help!
Sincerely,
Maofei Chen