Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fixed SMTP URL extraction for the Intel framework with Files updates.

Browse source
This commit is contained in:
Seth Hall 2013-07-09 11:51:23 -04:00
parent cdf6b7864e
commit ecfac31de0
1 changed files with 6 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

14
scripts/policy/frameworks/intel/smtp-url-extraction.bro
View file

@ -1,11 +1,12 @@
@load base/frameworks/intel @load base/frameworks/intel
@load base/protocols/smtp/file-analysis @load base/protocols/smtp
@load base/utils/urls @load base/utils/urls
@load ./where-locations @load ./where-locations
event intel_mime_data(f: fa_file, data: string) event intel_mime_data(f: fa_file, data: string)
{ {
if ( ! f?$conns ) return; if ( ! f?$conns )
return;
for ( cid in f$conns ) for ( cid in f$conns )
{ {
@ -21,11 +22,8 @@ event intel_mime_data(f: fa_file, data: string)
} }
} }
event file_new(f: fa_file) &priority=5 event file_new(f: fa_file)
{ {
if ( ! f?$source ) return; if ( f$source == "SMTP" )
if ( f$source != "SMTP" ) return; Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, [$stream_event=intel_mime_data]);
Files::add_analyzer(f, [$tag=Files::ANALYZER_DATA_EVENT,
$stream_event=intel_mime_data]);
} }