[Oisf-users] SMTP payload /eml extraction
Tom DeCanio
decanio.tom at gmail.com
Sun Jul 17 17:12:56 UTC 2016
I don't see a need for anything quite this complicated. With
app-layer.protocols.smtp.mime.extract-urls set to yes URLs will be parsed
from smtp traffic and written to the eve-log JSON logger.
"Let everyone else call your idea crazy. Just keep going."
Phil Knight
On Sun, Jul 17, 2016 at 8:21 AM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> As a quick hack you could do the following:
>
> 1. Write a suricata rule to trigger on urls in SMTP traffic. Just
> looking for 'http://' should suffice.
>
> 2. Enable unified2 logging, extract the raw pcaps with u2boat and then
> use a tool like ngrep to extract the urls from packets to port 25.
>
> The latest release supports Lua scripting for SMTP, so you could
> probably write a Lua script to extract URLs and write them to a log
> file, but I haven't actually done anything that advanced yet.
>
> -Coop
>
> On 7/14/2016 1:52 PM, Stephen Castellarin wrote:
> > Is it possible for Suricata to extract any urls found in the body of an
> email?
> >
>
>
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160717/baebf169/attachment-0002.html>
More information about the Oisf-users
mailing list