Hi All!
First off… I’m kinda new to Bro so please be gentle….
I’ve noticed some issues (strangeness?) with the file logging on Bro, in particular I would like for Bro to log an MD5 for all incomming files sent in through SMTP. At the moment it only seems to do it for some files and I can’t seem to find a reason why some are getting hashed but others aren’t…
An extract from my files.log filtered by SMTP and pdf:
1449167625.904080 FS81ev 1449167623.516100 Fajnj71Xx6UprSmLef 198.22.115.26 208.33.144.195 C6pKQN2extOHQYZ4Fc SMTP 3 SHA1,MD5 application/pdf LoadTender3059527.pdf 0.015949 F T 57 - 1368 0 F - - - - -
1449167625.848077 FhU87R1PwGYciZcT2i 198.22.115.26 208.33.144.195 CkD4rQ1uG5VZhJL2v9 SMTP 1 SHA1,MD5 application/pdf 12.03.2015.pdf 0.016022 F T 456 - 1368 0 F - - - - -3MhA2vXGk5J8 198.22.115.26 208.33.145.195 CHB8Ew4kdUB3hDbkKl SMTP 3 SHA1,MD5 application/pdf Payment Advice Note from 12/03/2015.PDF 0.071983 F T 14535 - 0 0 F - ef853cc031d2abfbf6e0ec964163cd98 08eae5d275554f12d4783cb9c8be210d691f8db5 - -
1449167630.224049 FGUsvz3nDYqZlH56Y1 198.22.115.26 208.33.145.195 CK8Nwn4vGwpylAmpGj SMTP 3 SHA1,MD5 application/pdf PPC_LoadTender3057660.pdf 0.032006 F T 969 - 1544 0 F - - - - -
1449167631.024050 FiMmk5Zsczli9OGi7 198.22.115.26 208.33.144.195 CX4SUd3VDBBdYoXt0g SMTP 3 SHA1,MD5 application/pdf Payment Advice Note from 12/03/2015.PDF 0.011997 F T 171 - 1368 0 F - - - - -
So basically about it won’t create a file hash for a heap of file, then out of the blue it will create one, then no more for a while….
They all have the same mime type so I just can’t seem to figure this out… any help or advice would be really appreciated…
Cheers,
David.