Hi Everyone,
I would like to do full email extraction (eml) to file from STMP traffic; should this happen naturally with the new file extraction framework?
I found this exchange from a while back, but haven’t found anything more recent on the topic:
http://mailman.icsi.berkeley.edu/pipermail/bro/2014-July/007224.html
I’m currently using Bro 2.4 and a script pretty similar to this one for file extraction:
https://github.com/Security-Onion-Solutions/securityonion-bro-scripts/blob/master/file-extraction/extract.bro
It looks like I’m getting the message content and attachments, but apparently not the raw email.
Any tips would be greatly appreciated!
Thanks very much,
VG