From 38468f9daa0c6f41e7588a1e4c954d10fe46e6bd Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Fri, 28 Sep 2012 22:43:36 -0400
Subject: [PATCH] Lots more intelligence checking in SMTP traffic.

---
 scripts/policy/frameworks/intel/smtp.bro      | 47 ++++++++++++++++++-
 .../frameworks/intel/where-locations.bro      |  3 +-
 2 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/scripts/policy/frameworks/intel/smtp.bro b/scripts/policy/frameworks/intel/smtp.bro
index 6f72a3da2a..f44f0575dc 100644
--- a/scripts/policy/frameworks/intel/smtp.bro
+++ b/scripts/policy/frameworks/intel/smtp.bro
@@ -15,11 +15,56 @@ event mime_end_entity(c: connection)
 				             $where=SMTP::IN_RECEIVED_HEADER]);
 				}
 			}
-		
+
 		if ( c$smtp?$user_agent )
 			Intel::seen([$str=c$smtp$user_agent,
 			             $str_type=Intel::USER_AGENT,
 			             $conn=c,
 			             $where=SMTP::IN_HEADER]);
+
+		if ( c$smtp?$x_originating_ip )
+			Intel::seen([$host=c$smtp$x_originating_ip,
+			             $conn=c,
+			             $where=SMTP::IN_X_ORIGINATING_IP_HEADER]);
+
+		if ( c$smtp?$mailfrom )
+			Intel::seen([$str=c$smtp$mailfrom,
+			             $str_type=Intel::EMAIL,
+			             $conn=c,
+			             $where=SMTP::IN_MAIL_FROM]);
+
+		if ( c$smtp?$rcptto )
+			{
+			for ( rcptto in c$smtp$rcptto )
+				{
+				Intel::seen([$str=rcptto,
+				             $str_type=Intel::EMAIL,
+				             $conn=c,
+				             $where=SMTP::IN_RCPT_TO]);
+				}
+			}
+
+		if ( c$smtp?$from )
+			Intel::seen([$str=c$smtp$from,
+			             $str_type=Intel::EMAIL,
+			             $conn=c,
+			             $where=SMTP::IN_FROM]);
+
+		if ( c$smtp?$to )
+			{
+			for ( email_to in c$smtp$to )
+				{
+				Intel::seen([$str=email_to,
+				             $str_type=Intel::EMAIL,
+				             $conn=c,
+				             $where=SMTP::IN_TO]);
+				}
+			}
+
+		if ( c$smtp?$reply_to )
+			Intel::seen([$str=c$smtp$reply_to,
+			             $str_type=Intel::EMAIL,
+			             $conn=c,
+			             $where=SMTP::IN_REPLY_TO]);
 		}
 	}
diff --git a/scripts/policy/frameworks/intel/where-locations.bro b/scripts/policy/frameworks/intel/where-locations.bro
index 360ac15131..45be5892ce 100644
--- a/scripts/policy/frameworks/intel/where-locations.bro
+++ b/scripts/policy/frameworks/intel/where-locations.bro
@@ -13,8 +13,9 @@ export {
 		SMTP::IN_RCPT_TO,
 		SMTP::IN_FROM,
 		SMTP::IN_TO,
-		SMTP::IN_CC,
 		SMTP::IN_RECEIVED_HEADER,
+		SMTP::IN_REPLY_TO,
+		SMTP::IN_X_ORIGINATING_IP_HEADER,
 		SSL::IN_SERVER_CERT,
 		SSL::IN_CLIENT_CERT,
 		SSL::IN_SERVER_NAME,