SMTP attachments and files from other ports/protocols

Good Evening Daniel,

You can use the below to extract files only from SMTP using file_sniff in bro2.4.

I added in the line ( if( f$source != ‘SMTP’ ) return; ) and didn’t change the rest of my code as this is live code I use.

This will ignore anything that is not SMTP and then ignore anything that does not have a mime_type set.

Please feel free to respond on the boards if you have any problems with the code below.


export {

const mimes = /application/x-dosexec/ | /application/pdf/ | /application/java-archive/ &redef;

event file_sniff(f: fa_file, meta: fa_metadata)
if( f$source != ‘SMTP’ ) return;

if ( ! meta?$mime_type ) return;

if ( mimes in meta$mime_type )
local app = sub( meta$mime_type, ///, “_”);

local tsp = sub_bytes(cat(f$info$ts), 1, 10);

local fname = fmt("%s-%s.%s", f$id,app,tsp);

Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename= fname]);