Extracting Email Attachments

user11 · March 22, 2013, 10:49am

Hello all,

New bro user here. I’m trying to understand how to enable email attachment extraction with bro. I see in smtp-entities the setting “extract-file” which by default is False. What is the right way to enable it and set the directory where these attachments will reside?

Thanks in advance!

Jason

Aashish_SHARMA2 · March 22, 2013, 2:32pm

## define the mime types you want extracted /.*/ means everything

redef SMTP::extract_file_types += /application\/*/;

## path where extracted attachments need to go:
redef SMTP::extraction_prefix = "/data/bro/extract/smtp-entity" ;

user11 · March 22, 2013, 7:34pm

Based on Aashish’s recommendations, I added the following 4 lines to the end of my local.bro:

redef SMTP::extract_file_types += /application/*/;

redef SMTP::extraction_prefix = “/tmp/extracted_”;
redef SMTP::extract_file = T;
redef SMTP::calc_md5 = T;

While there are attachments listed in the smtp_entities.log, they have no MD5 hashes and have not been extracted to /tmp. What am I missing?

johanna · March 22, 2013, 7:44pm

I think it should have been /application\/.*/ instead of /application\/*/ - I think
Aashish made a small typo there. Could you try adding the missing "."?

Johanna

Seth_Hall3 · March 22, 2013, 7:59pm

These two lines don't make any sense. Those names aren't globals, they are fields of the SMTP::EntityInfo record type. You can set them in certain situations but you shouldn't need to since the other lines you had should take care of what you're trying to do (once you have that little error that Johanna pointed out fixed).

.Seth

user11 · March 22, 2013, 7:59pm

I tried both:
redef SMTP::extract_file_types += /application/./;
and
redef SMTP::extract_file_types += /./;

But still end up with no attachments in /tmp, nor MD5s in the smtp_entities.log.

user11 · March 22, 2013, 8:08pm

So apparently I was incorrect in thinking that local.bro was loading automatically when running bro from the command line. Including the local.bro policy successfully extracted the attachments.

What it also told me was that these two lines:
redef SMTP::extract_file = T;
redef SMTP::calc_md5 = T;

Are not valid. But poking around a little bit in entities.bro I found the generate_md5 mime-types and redefined that in the local.bro file.

Thanks for the help all!

Topic		Replies	Views
File Extraction Question Zeek	1	64	May 6, 2022
An assist with file extraction Zeek	7	53	May 6, 2022
Extracted files not being archived Zeek	3	64	May 6, 2022
Extract links in SMTP Zeek	2	57	May 6, 2022
File Extraction Zeek	5	91	May 6, 2022

Extracting Email Attachments

Related Topics