[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: Re: [Bro] Bro 2.4.1 and issue with smtp-embedded-url-bloom.bro
From: Aashish Sharma <asharma () lbl ! gov>
Date: 2016-03-31 21:10:26
Message-ID: 20160331211024.GN28715 () yaksha ! lbl ! gov
[Download RAW message or body]
Ah! I see the entires in reporter.log
I have uploaded a revised version. This should fix the issue.
Please try this
https://github.com/initconf/smtp-analysis/blob/master/smtp-embedded-url-cluster.bro
Also note:
SMTP_Link_in_EMAIL_Clicked will only partially work in the cluster setup with this \
policy.
I have a clusterized version of this policy but I am not entirely satisfied with it. \
It syncs extracted URLs across the nodes so check against all HTTP traffic ranter \
than just the node which saw the smtp connection. However, there are a few corner \
cases I need to address.
Aashish
On Thu, Mar 31, 2016 at 02:43:32PM -0600, James Lay wrote:
> Unfortunately I get this when running the latest version:
>
> 1459456959.248537 expression error in
> /usr/local/bro/share/bro/site/smtp-embedded-url-bloom.bro, line 156:
> field value missing [SMTPurl::c$smtp$from]
>
> Thank you.
>
> James
>
> On 2016-03-30 18:05, Aashish Sharma wrote:
> > Hello James,
> >
> > Yes, that was caused in a very early version of the script because
> > of using
> >
> > You should try this:
> >
> > - event mime_segment_data(c: connection, length: count, data: string)
> > &priority=-5
> > + event mime_all_data(c: connection, length: count, data: string)
> > &priority=-5
> >
> >
> > Or try this policy:
> >
> > https://github.com/initconf/smtp-analysis/blob/master/smtp-embedded-url-bloom.bro
> >
> > Aashish
> >
> >
> >
> >
> > On Wed, Mar 30, 2016 at 05:54:37PM -0600, James Lay wrote:
> > >
> > > On Wed, 2016-03-30 at 15:04 +0000, Stephen Castellarin wrote:
> > >
> > > Hi all,
> > >
> > > I've set up a Bro instance to test out URL extraction from
> > > SMTP, using the
> > > smtp-embedded-url-bloom.bro scripts. For the most
> > > part the
> > > extract/logging is working, but many times I'll find that
> > > the host and url
> > > logged will be truncated. As an example I'd see one email
> > > listed that has
> > > 20 links extracted, but one log entry would have host name
> > > as "award" with
> > > the url as "http://award". The remaining URLs for that
> > > email look to be
> > > extracted correctly.
> > >
> > > Has anyone else noticed this issue?
> > > Thanks,
> > >
> > > Steve
> > >
> > > _______________________________________________
> > > Bro mailing list
> > > [1]bro@bro-ids.org
> > > [2]http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> > >
> > > Yep...I suspect emails that are quoted-printable emails fall
> > > victim to this:
> > > [3]https://en.wikipedia.org/wiki/Quoted-printable
> > > James
> > >
> > > References
> > >
> > > 1. mailto:bro@bro-ids.org
> > > 2. http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> > > 3. https://en.wikipedia.org/wiki/Quoted-printable
> >
> > > _______________________________________________
> > > Bro mailing list
> > > bro@bro-ids.org
> > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic