Improved file name extraction for SMTP when file name is included in Content-Type header.

scripts/base/protocols/smtp/entities.bro

@@ -177,6 +177,10 @@ event mime_one_header(c: connection, h: mime_header_rec)
 	if ( h$name == "CONTENT-DISPOSITION" &&
 	     /[fF][iI][lL][eE][nN][aA][mM][eE]/ in h$value )
 		c$smtp$current_entity$filename = extract_filename_from_content_disposition(h$value);
+
+	if ( h$name == "CONTENT-TYPE" && 
+	     /[nN][aA][mM][eE][:blank:]*=/ in h$value )
+		c$smtp$current_entity$filename = extract_filename_from_content_disposition(h$value);
 	}
 
 event mime_end_entity(c: connection) &priority=-5

scripts/base/utils/files.bro

@@ -19,7 +19,7 @@ function generate_extraction_filename(prefix: string, c: connection, suffix: str
 ## the filename.
 function extract_filename_from_content_disposition(data: string): string
 	{
-	local filename = sub(data, /^.*[fF][iI][lL][eE][nN][aA][mM][eE][[:blank:]]*=[[:blank:]]*/, "");
+	local filename = sub(data, /^.*[nN][aA][mM][eE][[:blank:]]*=[[:blank:]]*/, "");
 	# Remove quotes around the filename if they are there.
 	if ( /^\"/ in filename )
 		filename =  split_n(filename, /\"/, F, 2)[2];