I needed to be able to extract attachments from SMTP in order to do a poor mans Fireeye type solution.  I can then hash the files and submit to virustotal and/or cuckoobox.

Create the file “extract-smtp.bro” in your bro $PREFIX/policy/misc/ directory

global mime_to_ext: table[string] of string = {
        [“application/x-dosexec”] = “exe”,
        [“image/jpeg”] = “jpg”,
        [“application/pdf”] = “pdf”,
        [“application/vnd.ms-excel”] = “xls”,
        [“application/vnd.openxmlformats-officedocument.spreadsheetml.sheet”] = “xlsx”,
        [“application/zip”] = “zip”,
        [“application/x-compressed-zip”] = “xzip”,
        [“application/x-rar-compressed”] = “rar”,
        [“application/msword”] = “doc”,
        [“application/vnd.openxmlformats-officedocument.wordprocessingml.document”] = “docx”,
        [“application/rtf”] = “rtf”,
};

event file_sniff(f: fa_file, meta: fa_metadata)
        {
        if ( f$source != “SMTP” )
                return;

        if ( ! meta?$mime_type )
                return;

        if ( meta$mime_type !in mime_to_ext )
                return;

        local fname = fmt(“%s-%s.%s”, f$source, f$id, mime_to_ext[meta$mime_type]);
        Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
        }

Then enable it in your local.bro file, set the extraction directory and ensure this directory exists.

@load misc/smtp-extract
redef FileExtract::prefix = “/data/bro/extract_files/”;
Categories: Uncategorized

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *