Just saw the Extract files from SMTP, and I’d love to be able to extract links from SMTP as well. Many times I have to track down from my http logs a bad link that was gone to…would love to be able to just look for the link in my smtp log to find out if it was clicked on via an email. I too am still a noob at bro, so any assistance with getting something like this to go would be great…thanks all.
James
Any chance someone can point me in the right direction with this? My goal is to add an http field in the smtp_entities file, so I won’t have to create a completely new log file. I have this code (thanks to the gent from the IRC channel):
@load base/protocols/smtp
@load base/utils
event mime_entity_data(c:connection, length: count, data:string)
{ print find_all_urls(data); }
But that’s all I got so far. I’ve spent a good portion of the morning reading the docs at:
http://www.bro.org/sphinx-beta/scripting/index.html#understanding-bro-scripts
And I’m still pretty much at the same spot I was at…completely lost :D. My understanding is that I need to create a new .bro script, and then add a redef in my in my local.bro, but that’s the extent of my knowledge at this point. Any help would really be appreciated. Thank you.
James