Bro-ids SMTP file extraction script, first attempt:
#define list of mime types to extension that we want
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
["application/zip"] = "zip",
["application/msword"] = "xls",
};
event file_new(f: fa_file)
{
# if this isn't SMTP, we don't want it
if ( f$source != "SMTP" )
return;
#if it's not a mime type, or it's not in our list we don't want it
if ( ! f?$mime_type || f$mime_type !in ext_map )
return;
local ext = "";
if ( f?$mime_type )
ext = ext_map[f$mime_type];
local fname = fmt("%s-%s.%s", f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}
No comments:
Post a Comment