Extract files from SMTP

Derek_Banks · November 7, 2013, 1:01pm

Hello All,

I’ve been using bro now for a good few months and I still feel like a complete noob. I need to extract out mime types in smtp traffic - I am looking to extract docx files from our last few weeks of pcaps to then go check for embedded TIFF files (latest 0 day out on MS apps). Time is not on my side at the moment - management is bothered about this one for some reason.

I am running from git master and cannot seem to figure out how the new file handling works. Has anyone done something like this recently after the file handling change and would be willing to share?

Once I get the docx files extracted my intent was to use yara to look for tiffs then foremost to carve any out.

Regards,

Derek

Liam_Randall2 · November 7, 2013, 2:00pm

Hey Derek,

Attached is a script to dump “All files” out to disk; you would want to modify that and check to see if they are “SMTP” first.

The documentation here should have enough examples to get you started:

http://www.bro.org/sphinx-git/frameworks/file-analysis.html

Hope all is well buddy.

Thanks,

Liam Randall

extract-all-files.bro (83 Bytes)

Topic		Replies	Views
SMTP attachments and files from other ports/protocols Zeek	1	82	May 6, 2022
surgical file extraction Zeek	8	98	May 6, 2022
Capturing SMTP MIME message content Zeek	1	135	May 6, 2022
Bro - File Extraction Zeek	2	74	May 6, 2022
Extracting files transferred over smb Zeek	2	66	May 6, 2022

Extract files from SMTP

Related Topics