Hi everyone,
I want to extract the whole data to a eml file from smtp traffic. And the system event – file_new() only save every mime entity of an email as a file instead of the whole email. This is not I want.
I try to add an event in ./share/bro/base/protocols/smtp/file.bro.
event smtp_data(c: connection, is_orig:bool, data:string)
{
print fmt(“DATA %d”, |data|);
}
I print size of every data. The amount of every data size is always less than actually size the eml file ( 23137 Byte < 23831 Byte). So what I miss? And how to save data to file in smtp_data event?
Please help me about the above question if you are free. Thank you a lot!
BR
Robert Yang
I want to extract the whole data to a eml file from smtp traffic. And the system event – file_new() only save every mime entity of an email as a file instead of the whole email. This is not I want.
I'm going to assume you're saying that you want the entire SMTP data transaction. I don't actually know what microsoft does for their eml format but it sounds like you're just describing a full mime transfer.
�
Eventually I think things will be changing with the SMTP analyzer where the whole message is passed as a file and the MIME analyzer will be separated as a file analyzer (it's directly integrated into the smtp analyzer right now). This will make it possible to get the whole message if you want it, but you'll also be able to have Bro extract and analyze all of the mime entities separately too.
I print size of every data. The amount of every data size is always less than actually size the eml file ( 23137 Byte < 23831 Byte). So what I miss? And how to save data to file in smtp_data event?
Could you send along a trace file where you are having this problem?
.Seth
Hi Seth,
Thanks for your rapidly reply!
Actually, I want to catch the whole message indeed as you mentioned. In my environment, I try to send a eml file as payload of DATA command, then catch it by bro and compare with the original eml file.
You mention that " Eventually I think things will be changing with the SMTP analyzer where the whole message is passed as a file", so I try to catch the data in smtp_data event in files.bro. And finally I can get the original of mail's content indeed.
About data size, I double check my data and find out root cause. The original eml file is 23831 byte as windows EOL format. The captured data is saved as UNIX EOL format, so it is a little bigger. After fixed this issue, the captured data is equal with the original eml file. The bro is very great!
Robert Yang