Email Attachment Processing with Bro

2009-08-16 2011-04-13

bro email intrusion detection SMTP traffic analysis

Malware that spreads via email is nothing new. Particularly targeted attacks against politically sensitive institutions or individuals consist of well socially engineered mails and often ship with custom 0-day malware in the form of email attachments. In order to extract such malicious attachments, I wrote a Bro policy script which records suspicious attachments to disk for later analysis. A possible application scenario would be to scan office documents for malicious JavaScript or executables for viruses. Another option would be hashing the attachment directly in Bro and comparing it against a publicly available registry, such as Seth Hall illustrates for HTTP traffic.

The script to extract attachments works by registering a callback handler for the Content-Type header in an SMTP session. Then both MIME type and the name of the attachment is examined. If either looks suspicious, Bro generates a SensitiveMIMEType or SensitiveExtension NOTICE. The user can customize the the analyzer behavior in many ways. To change the directory where the attachments are stored on disk, one can redefine the attachment_dir variable:

redef Email::attachment_dir = "foo";

The script stores the attachments by default, but this behavior can easily changed via:

# Whether attachments with sensitive MIME types should be stored.
redef Email::store_sensitive_mime_types = F;

# Whether attachments with sensitive file extensions should be stored.
redef Email::store_sensitive_extensions = F;

It is also possible to restrict or extend the regular expression used to determine whether an attachment is sensitive or not:

# Deem only application\/octet-stream as suspicious.
redef Email::sensitive_mime_types = /application\/octet-stream/;

# Restrict sensitive extensions to office documents and executables.
redef Email::sensitive_extensions =
    /[pP][dD][fF]$/
  | /[dD][oO][cC][xX]?$/
  | /[xX][lL][sS]$/
  | /[pP][pP][sStT]$/
  | /[eE][xX][eE]$/
  | /[cC][oO][mM]$/
  | /[bB][aA][tT]$/;

The script generates a file of the form ID-filename where ID is a unique attachment ID that is monotonically increasing and filename is the name of the attachment or just the MIME type if the attachment does not have a name.

The script is part of the Bro scripts git repository where you can always download the most recent version.

Load Comments