SMTP Entities MD5 Hash Defaults

Vlad_Grigorescu2 · July 20, 2012, 3:16pm

Hi all,

Currently, SMTP entities will calculate MD5 hashes for the following
filetypes by default: application/x-dosexec, application/x-executable. I
was a little surprised that common e-mail attack vectors like zip and PDF
files don't have this hash calculated by default. I propose extending the
default to also include application/zip and application/pdf. I think this
is good default functionality, that won't cause a noticeable performance
hit.

Thoughts? Any other filetypes that would be useful to add there, while
we're at it?

--Vlad

Seth_Hall3 · July 20, 2012, 7:22pm

Would you be up for just writing a script that does it for now? Maybe also a script that checks SMTP hashes with the malware hash registry like we're doing for HTTP?

I'm not crazy about doing much work on the pre-2.2 because once the file analysis framework is integrated everything will be different and much better anyway.

.Seth

Topic		Replies	Views
file identification modification Zeek	6	87	May 6, 2022
no sha1\md5 for some logs in files.log Zeek	2	67	May 6, 2022
SMTP attachments and files from other ports/protocols Zeek	4	60	May 6, 2022
bug in smtp analyzer? Zeek	2	59	May 6, 2022
fa_file SMTP::Info Zeek	1	67	May 6, 2022

SMTP Entities MD5 Hash Defaults

Related Topics