diff --git a/scripts/policy/frameworks/intel/smtp.bro b/scripts/policy/frameworks/intel/smtp.bro index 6f72a3da2a..f44f0575dc 100644 --- a/scripts/policy/frameworks/intel/smtp.bro +++ b/scripts/policy/frameworks/intel/smtp.bro @@ -15,11 +15,56 @@ event mime_end_entity(c: connection) $where=SMTP::IN_RECEIVED_HEADER]); } } - + if ( c$smtp?$user_agent ) Intel::seen([$str=c$smtp$user_agent, $str_type=Intel::USER_AGENT, $conn=c, $where=SMTP::IN_HEADER]); + + if ( c$smtp?$x_originating_ip ) + Intel::seen([$host=c$smtp$x_originating_ip, + $conn=c, + $where=SMTP::IN_X_ORIGINATING_IP_HEADER]); + + if ( c$smtp?$mailfrom ) + Intel::seen([$str=c$smtp$mailfrom, + $str_type=Intel::EMAIL, + $conn=c, + $where=SMTP::IN_MAIL_FROM]); + + if ( c$smtp?$rcptto ) + { + for ( rcptto in c$smtp$rcptto ) + { + Intel::seen([$str=rcptto, + $str_type=Intel::EMAIL, + $conn=c, + $where=SMTP::IN_RCPT_TO]); + } + } + + if ( c$smtp?$from ) + Intel::seen([$str=c$smtp$from, + $str_type=Intel::EMAIL, + $conn=c, + $where=SMTP::IN_FROM]); + + if ( c$smtp?$to ) + { + for ( email_to in c$smtp$to ) + { + Intel::seen([$str=email_to, + $str_type=Intel::EMAIL, + $conn=c, + $where=SMTP::IN_TO]); + } + } + + if ( c$smtp?$reply_to ) + Intel::seen([$str=c$smtp$reply_to, + $str_type=Intel::EMAIL, + $conn=c, + $where=SMTP::IN_REPLY_TO]); } } diff --git a/scripts/policy/frameworks/intel/where-locations.bro b/scripts/policy/frameworks/intel/where-locations.bro index 360ac15131..45be5892ce 100644 --- a/scripts/policy/frameworks/intel/where-locations.bro +++ b/scripts/policy/frameworks/intel/where-locations.bro @@ -13,8 +13,9 @@ export { SMTP::IN_RCPT_TO, SMTP::IN_FROM, SMTP::IN_TO, - SMTP::IN_CC, SMTP::IN_RECEIVED_HEADER, + SMTP::IN_REPLY_TO, + SMTP::IN_X_ORIGINATING_IP_HEADER, SSL::IN_SERVER_CERT, SSL::IN_CLIENT_CERT, SSL::IN_SERVER_NAME,