Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 08:08:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fixed SMTP URL extraction for the Intel framework with Files updates.

Browse source
This commit is contained in:
Seth Hall 2013-07-09 11:51:23 -04:00
parent cdf6b7864e
commit ecfac31de0
1 changed files with 6 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

14
scripts/policy/frameworks/intel/smtp-url-extraction.bro
View file

@ -1,11 +1,12 @@
@load base/frameworks/intel
@load base/protocols/smtp/file-analysis
@load base/protocols/smtp
@load base/utils/urls
@load ./where-locations
event intel_mime_data(f: fa_file, data: string)
{
if ( ! f?$conns ) return;
if ( ! f?$conns )
return;
for ( cid in f$conns )
{
@ -21,11 +22,8 @@ event intel_mime_data(f: fa_file, data: string)
}
}
event file_new(f: fa_file) &priority=5
event file_new(f: fa_file)
{
if ( ! f?$source ) return;
if ( f$source != "SMTP" ) return;
Files::add_analyzer(f, [$tag=Files::ANALYZER_DATA_EVENT,
$stream_event=intel_mime_data]);
if ( f$source == "SMTP" )
Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, [$stream_event=intel_mime_data]);
}