Is there a script that exists or that can be modified to be able to capture/download attachments that are detected?
Specifically, looking for SMTP attachments in e-mails. However, files in the Files.log could be helpful too.
Right now, the best I can figure is that the SMTP log is just a copy of e-mail headers and nothing more.
The files.log only has MD5 and/or SHA1 hashes, but no details about file name, type, or even the file itself.
We had heard that there are tools out there like Bro (if not Bro itself) that can do this.
If Bro has this capability, storage media requirements is not an issue.
Any additional information that I can glean and add to the logs could be helpful.
Thanks in advance,
Dan
Dan,
If you take a look at the HTTP monitoring example here (https://www.bro.org/sphinx/httpmonitor/index.html) and modify the final example (“Inspecting Files”) to use “SMTP” instead of “HTTP”, you should be pretty close to getting this to work.
v/r
And you can look at what I just posted. I found it to be beneficial to have a rough idea of what kind of files you want to extract out before starting out.
James
Right now, the best I can figure is that the SMTP log is just a copy of e-mail headers and nothing more.
�
It’s more than that, it has information from the SMTP protocol, information from the MIME message itself, derived information from the mime headers (see the “path” field), and it has a link to file IDs for any “files” transferred over the smtp transaction. You can look up more information about the files in files.log.
The files.log only has MD5 and/or SHA1 hashes, but no details about file name, type, or even the file itself.
files.log does actually contain a file name when the protocol itself clearly indicates a name for the file being transferred (refer to the content-disposition header in http for one example). It also has a mime type that it derives from examining the content of the file with signatures. If you would like to extract files, you can certainly do that but you frequently need to choose when you want to extract files because you don’t normally want to extract all files.
We had heard that there are tools out there like Bro (if not Bro itself) that can do this.
If Bro has this capability, storage media requirements is not an issue.
If that’s really true and you have infinite storage space...
This in a Bro script...
@load frameworks/files/extract-all-files
Or this at the command line...
bro -r mytraffic.pcap frameworks/files/extract-all-files
You will get a lot of files if you load that script. 
.Seth