hello team
iam have included the below line in my local.zeek.started zeek and i dont see the logs
@load /opt/zeek/share/zeek/policy/frameworks/intel/seen/smtp-url-extraction.zeek
could someone help to tell where i can see the logs or iam doing something wrong in loading the scripts
Hi Venkatesh,
The scripts you've loaded make the Intel Framework "aware" of URL's discovered in SMTP messages. This is specifically for matching URL threat intel indicators in SMTP Email. Without the indicators, they won't produce any noticeable output. So now that you've loaded the scripts, your next step is to feed the Intel Framework URL indicators. You can read more about loading indicators here: https://docs.zeek.org/en/stable/frameworks/intel.html.
An important thing to know/remember wrt URL indicators is that they should not include the scheme (the "http://" part). For example:
use this...
www.badsite.com/path/to/exploitkit
not this...
http://www.badsite.com/path/to/exploitkit
If you're set up so your Zeek sensor can see SMTP traffic you generate, you can load a URL indicator then send a test email containing it. You should see an entry appear in the intel.log file.
That's one way to find known-bad URLs in Email. If you're interested in other Email analysis techniques that don't exclusively rely on indicators, check out the smtp-url-analysis package. You can read more about it here: https://github.com/initconf/smtp-url-analysis. It uses some other great techniques for finding phishing activity, like identifying when a link in an email was clicked by a recipient.
Hope that helps.
Adam