Discussion:
[Bro] How to extract data to a eml file from smtp traffic
R***@trendmicro.com.cn
2014-07-24 06:45:54 UTC
Permalink
Hi everyone,

I want to extract the whole data to a eml file from smtp traffic. And the system event - file_new() only save every mime entity of an email as a file instead of the whole email. This is not I want.

I try to add an event in ./share/bro/base/protocols/smtp/file.bro.

event smtp_data(c: connection, is_orig:bool, data:string)
{
print fmt("DATA %d", |data|);
}

I print size of every data. The amount of every data size is always less than actually size the eml file ( 23137 Byte < 23831 Byte). So what I miss? And how to save data to file in smtp_data event?

Please help me about the above question if you are free. Thank you a lot!

BR
Robert Yang


TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
Seth Hall
2014-07-24 13:40:59 UTC
Permalink
I want to extract the whole data to a eml file from smtp traffic. And the system event – file_new() only save every mime entity of an email as a file instead of the whole email. This is not I want.
I'm going to assume you're saying that you want the entire SMTP data transaction. I don't actually know what microsoft does for their eml format but it sounds like you're just describing a full mime transfer.

Eventually I think things will be changing with the SMTP analyzer where the whole message is passed as a file and the MIME analyzer will be separated as a file analyzer (it's directly integrated into the smtp analyzer right now). This will make it possible to get the whole message if you want it, but you'll also be able to have Bro extract and analyze all of the mime entities separately too.
I print size of every data. The amount of every data size is always less than actually size the eml file ( 23137 Byte < 23831 Byte). So what I miss? And how to save data to file in smtp_data event?
Could you send along a trace file where you are having this problem?

.Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
R***@trendmicro.com.cn
2014-07-25 01:17:41 UTC
Permalink
Hi Seth,

Thanks for your rapidly reply!

Actually, I want to catch the whole message indeed as you mentioned. In my environment, I try to send a eml file as payload of DATA command, then catch it by bro and compare with the original eml file.

You mention that " Eventually I think things will be changing with the SMTP analyzer where the whole message is passed as a file", so I try to catch the data in smtp_data event in files.bro. And finally I can get the original of mail's content indeed.

About data size, I double check my data and find out root cause. The original eml file is 23831 byte as windows EOL format. The captured data is saved as UNIX EOL format, so it is a little bigger. After fixed this issue, the captured data is equal with the original eml file. The bro is very great!

Robert Yang

-----Original Message-----
From: Seth Hall [mailto:***@icir.org]
Sent: 2014��7��24�� 21:41
To: Robert Yang (RD-CN)
Cc: ***@bro.org
Subject: Re: [Bro] How to extract data to a eml file from smtp traffic
I want to extract the whole data to a eml file from smtp traffic. And the system event �C file_new() only save every mime entity of an email as a file instead of the whole email. This is not I want.
I'm going to assume you're saying that you want the entire SMTP data transaction. I don't actually know what microsoft does for their eml format but it sounds like you're just describing a full mime transfer.

Eventually I think things will be changing with the SMTP analyzer where the whole message is passed as a file and the MIME analyzer will be separated as a file analyzer (it's directly integrated into the smtp analyzer right now). This will make it possible to get the whole message if you want it, but you'll also be able to have Bro extract and analyze all of the mime entities separately too.
I print size of every data. The amount of every data size is always less than actually size the eml file ( 23137 Byte < 23831 Byte). So what I miss? And how to save data to file in smtp_data event?
Could you send along a trace file where you are having this problem?

.Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/


TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

Loading...