mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
9b444b2617
- Intel importing format has changed (refer to docs). - All string matching is now case insensitive. - SMTP intel script has been updated to extract email addresses correctly. - Small fix sneaking into the smtp base script to actually extract individual email addresses in the To: field correctly.
31 lines
741 B
Text
31 lines
741 B
Text
@load base/frameworks/intel
|
|
@load base/protocols/smtp/file-analysis
|
|
@load base/utils/urls
|
|
@load ./where-locations
|
|
|
|
event intel_mime_data(f: fa_file, data: string)
|
|
{
|
|
if ( ! f?$conns ) return;
|
|
|
|
for ( cid in f$conns )
|
|
{
|
|
local c: connection = f$conns[cid];
|
|
local urls = find_all_urls_without_scheme(data);
|
|
for ( url in urls )
|
|
{
|
|
Intel::seen([$indicator=url,
|
|
$indicator_type=Intel::URL,
|
|
$conn=c,
|
|
$where=SMTP::IN_MESSAGE]);
|
|
}
|
|
}
|
|
}
|
|
|
|
event file_new(f: fa_file) &priority=5
|
|
{
|
|
if ( ! f?$source ) return;
|
|
if ( f$source != "SMTP" ) return;
|
|
|
|
FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_DATA_EVENT,
|
|
$stream_event=intel_mime_data]);
|
|
}
|