[Oisf-users] SMTP payload /eml extraction
Cooper F. Nelson
cnelson at ucsd.edu
Sun Jul 17 15:21:29 UTC 2016
As a quick hack you could do the following:
1. Write a suricata rule to trigger on urls in SMTP traffic. Just
looking for 'http://' should suffice.
2. Enable unified2 logging, extract the raw pcaps with u2boat and then
use a tool like ngrep to extract the urls from packets to port 25.
The latest release supports Lua scripting for SMTP, so you could
probably write a Lua script to extract URLs and write them to a log
file, but I haven't actually done anything that advanced yet.
-Coop
On 7/14/2016 1:52 PM, Stephen Castellarin wrote:
> Is it possible for Suricata to extract any urls found in the body of an email?
>
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160717/23bb8b99/attachment-0002.sig>
More information about the Oisf-users
mailing list