spam mail message collector

Hyun_Yoo · August 18, 2015, 9:48pm

Hello Bro. I am new to bro.

I think my task is more suitable to Bro than other NIDS.

There is a list of spammer email addresses and

I want to save the email subject and whole message of them.

(reassembled payload of tcp segments)

I tried a few events like log_smtp, tcp_contents but couldn’t save the whole stream.

Can anybody guide me to the right way, please?

Hosom_Stephen_M · August 19, 2015, 12:17pm

You could just use file extraction. This will extract many files for multipart messages.

Add a file and load it that does the following hook:

hook FileExtraction::extract(f: fa_file, meta: fa_metadata) &priority=10

{

if ( f$source == “SMTP” )

break;

}

Topic		Replies	Views
Capturing SMTP MIME message content Zeek	1	128	May 6, 2022
Extract files from SMTP Zeek	2	69	May 6, 2022
SMTP attachments and files from other ports/protocols Zeek	1	76	May 6, 2022
SMTP Data Fragmentation Problems Zeek	2	61	May 6, 2022
Is it possible to export pcap for a given event / connection? Zeek	5	65	May 6, 2022