Email Attachment Processing with Bro
Malware that spreads via email is nothing new. Particularly targeted attacks against politically sensitive institutions or individuals consist of well socially engineered mails and often ship with custom 0-day malware in the form of email attachments. In order to extract such malicious attachments, I wrote a Bro policy script which records suspicious attachments to disk for later analysis. A possible application scenario would be to scan office documents for malicious JavaScript or executables for viruses. Another option would be hashing the attachment directly in Bro and comparing it against a publicly available registry, such as Seth Hall illustrates for HTTP traffic.
The script to extract attachments works by registering a callback handler for
the Content-Type
header in an SMTP session. Then both MIME type and the
name of the attachment is examined. If either looks suspicious, Bro generates a
SensitiveMIMEType
or SensitiveExtension
NOTICE.
The user can customize the the analyzer behavior in many ways. To change the
directory where the attachments are stored on disk, one can redefine the
attachment_dir
variable:
redef Email::attachment_dir = "foo";
The script stores the attachments by default, but this behavior can easily changed via:
# Whether attachments with sensitive MIME types should be stored.
redef Email::store_sensitive_mime_types = F;
# Whether attachments with sensitive file extensions should be stored.
redef Email::store_sensitive_extensions = F;
It is also possible to restrict or extend the regular expression used to determine whether an attachment is sensitive or not:
# Deem only application\/octet-stream as suspicious.
redef Email::sensitive_mime_types = /application\/octet-stream/;
# Restrict sensitive extensions to office documents and executables.
redef Email::sensitive_extensions =
/[pP][dD][fF]$/
| /[dD][oO][cC][xX]?$/
| /[xX][lL][sS]$/
| /[pP][pP][sStT]$/
| /[eE][xX][eE]$/
| /[cC][oO][mM]$/
| /[bB][aA][tT]$/;
The script generates a file of the form ID-filename
where ID
is a unique
attachment ID that is monotonically increasing and filename
is the name of
the attachment or just the MIME type if the attachment does not have a name.
The script is part of the Bro scripts git repository where you can always download the most recent version.
Load Comments