Links in SMTP round 2

James_inthe_box · November 8, 2013, 2:25pm

So here’s where I’m at:

event bro_init()
    {
    local filter: Log::Filter = [$name="smtp-http", $path="smtp-http", $include=set("ts", "uid", "id.orig_h", "id.orig_p", "id.resp_h", "id.resp_p", "mailfrom", "rcptto", "date", "from", "to", "reply_to"
, "msg_id", "subject")];
    Log::add_filter(SMTP::LOG, filter);
    }

redef record SMTP::Info += {
smtp_http: string &log;
};

event mime_entity_data(c:connection, length: count, data:string)

My snags are:

error in /usr/local/bro/share/bro/base/protocols/smtp/./main.bro, line 10: extension field must be &optional or have &default (SMTP::Info)
error in ./testfiles/test.bro, line 12: syntax error, at end of file

I’m hoping the first error is because I haven’t defined the new field of smtp_http yet. As for the second, I’m not sure how to create that field. I’ve been looking heavily at http://www.bro.org/sphinx-git/frameworks/logging.html, but so far this is all I have. ANY help…tutorials…pointers…something would really save me some time. Thank you.

James

Azoff_Justin · November 8, 2013, 3:07pm

error in /usr/local/bro/share/bro/base/protocols/smtp/./main.bro, line 10: extension field must be &optional or have &default (SMTP::Info)

Yep.. you need to mark it as &optional like it says.

error in ./testfiles/test.bro, line 12: syntax error, at end of file

You just need to handle that event and extract the links.

I’m hoping the first error is because I haven’t defined the new field of smtp_http yet. As for the second, I’m not sure how to create that field. I’ve been looking heavily at http://www.bro.org/sphinx-git/frameworks/logging.html, but so far this is all I have. ANY help…tutorials…pointers…something would really save me some time. Thank you.

Here is a script that adds a field to the conn log, it does all the
things you need to do:

github.com

JustinAzoff/bro_scripts/blob/master/conn-hostnames.bro

@load base/protocols/conn
@load base/protocols/http
@load base/protocols/ssl
@load base/utils/site

module Conn;

redef record Conn::Info += {
    resp_hostname: string &optional &log;
};

event http_header (c: connection, is_orig: bool, name: string, value: string)
{
    if(name == "HOST") {
        if(!c?$conn)
            Conn::set_conn(c, F);
        c$conn$resp_hostname = value;
    }
}

This file has been truncated. show original

James_inthe_box · November 8, 2013, 3:57pm

Thanks a BUNCH Justin…this helps. As I’m looking at this, I think what I’m hoping for, is something like:

"if the smtp message stream contains http, then log the link to smtp_http.log, otherwise don’t log anything about the stream to smtp_http.log"

Something I’m stumbling on is…how do I specify the smtp stream, and how do I find out if it contains http ( looking at the bro cheat sheet I don’t see “=~” ). Again, thanks so much Justin…I think I’m getting closer.

James

Azoff_Justin · November 8, 2013, 4:31pm

You pasted how to do this in your first message:

event mime_entity_data(c:connection, length: count, data:string)
{ print find_all_urls(data); }

The only tricky part is find_all_urls would return a vector so your log
field needs to be a 'vector of string' and not just a 'string'

James_inthe_box · November 8, 2013, 4:34pm

Awesome…thank you much Justin.

James

Topic		Replies	Views
Extract links in SMTP Zeek	2	76	May 6, 2022
Quick smtp-url-extraction question Zeek	13	113	May 6, 2022
Question on "already defined (Notice::policy)" error Zeek	5	84	May 6, 2022
report log for error message Zeek	4	88	May 6, 2022
Bro 2.4.1 and issue with smtp-embedded-url-bloom.bro Zeek	6	67	May 6, 2022

Links in SMTP round 2

Related topics