Thanks for your rapidly reply!
Actually, I want to catch the whole message indeed as you mentioned. In my environment, I
try to send a eml file as payload of DATA command, then catch it by bro and compare with
the original eml file.
You mention that " Eventually I think things will be changing with the SMTP analyzer
where the whole message is passed as a file", so I try to catch the data in smtp_data
event in files.bro. And finally I can get the original of mail's content indeed.
About data size, I double check my data and find out root cause. The original eml file is
23831 byte as windows EOL format. The captured data is saved as UNIX EOL format, so it is
a little bigger. After fixed this issue, the captured data is equal with the original eml
file. The bro is very great!
From: Seth Hall [mailto:firstname.lastname@example.org]
Sent: 2014��7��24�� 21:41
To: Robert Yang (RD-CN)
Subject: Re: [Bro] How to extract data to a eml file from smtp traffic
On Jul 24, 2014, at 2:45 AM, Robert_Yang(a)trendmicro.com.cn wrote:
I want to extract the whole data to a eml file from
smtp traffic. And the system event �C file_new() only save every mime entity of an email
as a file instead of the whole email. This is not I want.
I'm going to assume you're saying that you want the entire SMTP data
transaction. I don't actually know what microsoft does for their eml format but it
sounds like you're just describing a full mime transfer.
Eventually I think things will be changing with the SMTP analyzer where the whole message
is passed as a file and the MIME analyzer will be separated as a file analyzer (it's
directly integrated into the smtp analyzer right now). This will make it possible to get
the whole message if you want it, but you'll also be able to have Bro extract and
analyze all of the mime entities separately too.
I print size of every data. The amount of every data
size is always less than actually size the eml file ( 23137 Byte < 23831 Byte). So what
I miss? And how to save data to file in smtp_data event?
Could you send along a trace file where you are having this problem?
International Computer Science Institute
(Bro) because everyone has a network
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.