Good Evening Daniel,
You can use the below to extract files only from SMTP using file_sniff in bro2.4.
I added in the line ( if( f$source != ‘SMTP’ ) return; ) and didn’t change the rest of my code as this is live code I use.
This will ignore anything that is not SMTP and then ignore anything that does not have a mime_type set.
Please feel free to respond on the boards if you have any problems with the code below.
RedLight
export {
const mimes = /application/x-dosexec/ | /application/pdf/ | /application/java-archive/ &redef;
}
event file_sniff(f: fa_file, meta: fa_metadata)
{
if( f$source != ‘SMTP’ ) return;
if ( ! meta?$mime_type ) return;
if ( mimes in meta$mime_type )
{
local app = sub( meta$mime_type, ///, “_”);
local tsp = sub_bytes(cat(f$info$ts), 1, 10);
local fname = fmt("%s-%s.%s", f$id,app,tsp);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename= fname]);
}
}