How can I extract an entire email, and split the attachments out into separate files in Bro?
Specifically, I want the entire smtp transaction (not just the body of the email, but headers as well) in a file, and then the the attachments in the smtp body extracted as well. Not sure how to go about this.
For reference, I am probably going to run an edited version of
https://people.eecs.berkeley.edu/~mavam/teaching/cs161-sp11/mime-attachment.bro
to extract attachments, but it doesn’t seem to help me too much in getting the entire smtp transaction into a file. 
Thanks!
erik
Actually, the linked script doesnt work with 2.5 at all. Is there an up to date version of this that is out in the public domain somewhere?
Sorry for the clutter. I did this a different way with extract from file analyzer. I will just script some glue with conn.log, smtp.log, and fuid. I had originally wanted to scrap the data out of the raw smtp message (and would still prefer to do that) with other tools entirely, so if someone has a way to do that, that would be fantastic.
You are hinting towards a design change that I've wanted to see for quite a while where the MIME analyzer would turn into a file analyzer and the MIME content carried over SMTP would be fed into the MIME file analyzer. This would have the nice side effect of making it simple to extract the full MIME message through the normal file extraction channels.
Unfortunately this design change hasn't happened yet and isn't slated for the near term.
.Seth
How difficult would this be to do?
Probably quite a bit of work and maybe 80-90% of it would be in the analyzer which is hand written in C++.
.Seth