New bro user here. I’m trying to understand how to enable email attachment extraction with bro. I see in smtp-entities the setting “extract-file” which by default is False. What is the right way to enable it and set the directory where these attachments will reside?
I think it should have been /application\/.*/ instead of /application\/*/ - I think
Aashish made a small typo there. Could you try adding the missing "."?
These two lines don't make any sense. Those names aren't globals, they are fields of the SMTP::EntityInfo record type. You can set them in certain situations but you shouldn't need to since the other lines you had should take care of what you're trying to do (once you have that little error that Johanna pointed out fixed).
So apparently I was incorrect in thinking that local.bro was loading automatically when running bro from the command line. Including the local.bro policy successfully extracted the attachments.
What it also told me was that these two lines:
redef SMTP::extract_file = T;
redef SMTP::calc_md5 = T;
Are not valid. But poking around a little bit in entities.bro I found the generate_md5 mime-types and redefined that in the local.bro file.