base/protocols/smtp/main.bro¶
-
SMTP¶
| Namespace: | SMTP |
|---|---|
| Imports: | base/utils/addrs.bro, base/utils/directions-and-hosts.bro, base/utils/email.bro |
| Source File: | /scripts/base/protocols/smtp/main.bro |
Summary¶
Runtime Options¶
SMTP::mail_path_capture: Host &redef |
Direction to capture the full “Received from” path. |
Types¶
SMTP::Info: record |
|
SMTP::State: record |
Redefinitions¶
Log::ID: enum |
|
connection: record |
|
likely_server_ports: set &redef |
Events¶
SMTP::log_smtp: event |
Functions¶
SMTP::describe: function |
Create an extremely shortened representation of a log line. |
Detailed Interface¶
Runtime Options¶
-
SMTP::mail_path_capture¶ Type: HostAttributes: &redefDefault: ALL_HOSTS- Direction to capture the full “Received from” path.
- REMOTE_HOSTS - only capture the path until an internal host is found. LOCAL_HOSTS - only capture the path until the external host is discovered. ALL_HOSTS - always capture the entire path. NO_HOSTS - never capture the path.
Types¶
-
SMTP::Info¶ Type: - ts:
time&log Time when the message was first seen.
- uid:
string&log Unique ID for the connection.
- id:
conn_id&log The connection’s 4-tuple of endpoint addresses/ports.
- trans_depth:
count&log A count to represent the depth of this message transaction in a single connection where multiple messages were transferred.
- helo:
string&log&optional Contents of the Helo header.
- mailfrom:
string&log&optional Email addresses found in the From header.
- rcptto:
set[string]&log&optional Email addresses found in the Rcpt header.
- date:
string&log&optional Contents of the Date header.
- from:
string&log&optional Contents of the From header.
- to:
set[string]&log&optional Contents of the To header.
- cc:
set[string]&log&optional Contents of the CC header.
- reply_to:
string&log&optional Contents of the ReplyTo header.
- msg_id:
string&log&optional Contents of the MsgID header.
- in_reply_to:
string&log&optional Contents of the In-Reply-To header.
- subject:
string&log&optional Contents of the Subject header.
- x_originating_ip:
addr&log&optional Contents of the X-Originating-IP header.
- first_received:
string&log&optional Contents of the first Received header.
- second_received:
string&log&optional Contents of the second Received header.
- last_reply:
string&log&optional The last message that the server sent to the client.
- path:
vectorofaddr&log&optional The message transmission path, as extracted from the headers.
- user_agent:
string&log&optional Value of the User-Agent header from the client.
- tls:
bool&log&default=F&optional Indicates that the connection has switched to using TLS.
- process_received_from:
bool&default=T&optional Indicates if the “Received: from” headers should still be processed.
- has_client_activity:
bool&default=F&optional Indicates if client activity has been seen, but not yet logged.
- entity:
SMTP::Entity&optional (present if base/protocols/smtp/entities.bro is loaded)
The current entity being seen.
- fuids:
vectorofstring&log&default=[]&optional (present if base/protocols/smtp/files.bro is loaded)
An ordered vector of file unique IDs seen attached to the message.
- is_webmail:
bool&log&default=F&optional (present if policy/protocols/smtp/software.bro is loaded)
Boolean indicator of if the message was sent through a webmail interface.
- ts:
-
SMTP::State¶ Type: - messages_transferred:
count&default=0&optional Count the number of individual messages transmitted during this SMTP session. Note, this is not the number of recipients, but the number of message bodies transferred.
pending_messages:
set[SMTP::Info]&optional- mime_depth:
count&default=0&optional (present if base/protocols/smtp/entities.bro is loaded)
Track the number of MIME encoded files transferred during a session.
- messages_transferred:
Events¶
-
SMTP::log_smtp¶ Type: event(rec:SMTP::Info)
Functions¶
-
SMTP::describe¶ Type: function(rec:SMTP::Info) :stringCreate an extremely shortened representation of a log line.
