So I’m having an odd problem that I can’t seem to find any documentation on. I’m trying to use Bro to do some stuff with email monitoring, but I’m having some issues when it comes to data fragmentation. The test setup that I have is three servers: one DNS server for MX resolution, a sending SMTP server/client, and a receiving SMTP server with Bro running on it. The Bro server is using the default configuration. I’m sending emails to the receiving server, and they are showing up in the test user’s mail just fine. Most of the time, Bro picks up this traffic no problem and puts the necessary log entries into smtp.log and files.log. The problem is that any time I try sending a large attachment (which amounts to any time that the SMTP data field needs to be fragmented across multiple packets), Bro doesn’t seem to be picking it up. It will catch extremely small attachments, but won’t even log emails that have to fragment. Is there any insight someone could give me about this?
This sounds like it could be the common invalid checksum issue. Is your reporter.log complaining about checksum errors? See this link for more info and some possible fixes: