I’ve been using bro now for a good few months and I still feel like a complete noob. I need to extract out mime types in smtp traffic - I am looking to extract docx files from our last few weeks of pcaps to then go check for embedded TIFF files (latest 0 day out on MS apps). Time is not on my side at the moment - management is bothered about this one for some reason.
I am running from git master and cannot seem to figure out how the new file handling works. Has anyone done something like this recently after the file handling change and would be willing to share?
Once I get the docx files extracted my intent was to use yara to look for tiffs then foremost to carve any out.